IE 0-Day Flaw Used In Chinese Attack 318
Posted
by
timothy
from the zero-is-where-you-start-counting dept.
from the zero-is-where-you-start-counting dept.
bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."
Chinese govt inspection of MSFT code? (Score:5, Interesting)
Re:Using Macs could have prevented this! (Score:2, Interesting)
Re:You know what this means (Score:5, Interesting)
That is pure genius.
There are Sooooo many people that don't know how to find anything on the web without using Google that if Google did stop supporting IE, many of those people would start using Firefox simply to use Google. And that would be a huge foot-in-the-groin for Microsoft, even if it doesn't DIRECTLY benefit Google.
Methinks it would avoid any anti-trust issues as well.
Considering the topic of this thread, it might actually help to prevent further Chinese highjinks.
Re:A major security flaw in IE? (Score:2, Interesting)
M$ profits and restricted access to the source code is the problem. Once you started dumping the closed source code onto essential technology infrastructure and only basically released the code to governments, especially those governments that oppose the concept of a modern democracy, well, guess what those governments would do with the bugs they find. Greed versus patriotism, let me guess which took the back seat in dealing with unstable undemocratic governments and corporate profits. Open source can have similar problems but then if you work hard to secure open source (considering it is a globally shared effort) whilst your victims stick with closed source you have got a major advantage, especially when major corporations peddling closed source proprietary code absolutely will not fixed bugs unless they have to, cost versus profit.
The most troublesome thing about this, does anyone believe that the government of China used the best back door bugs for this little operation or did they just use one they knew would be discovered and thwarted relatively quickly but not before they had got what they were after. I can see this getting rapidly out of hand, especially as countries shift to audited FOSS code, they have a limited 'window' of opportunity to exploit their zero day exploits.
No real fix... (Score:5, Interesting)
Sadly, microsoft doesn't seem to have anything you can do to fix this.
http://www.microsoft.com/technet/security/advisory/979352.mspx [microsoft.com]
It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.
What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.
'0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.
I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?
citation needed (Score:1, Interesting)
please give an example of something that breaks with firefox simply installed. on any OS.
Re:Not PDFs? (Score:4, Interesting)
"Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all."
I can't help but wonder if Firefox AND Foxit would have prevented this.
Re:A major security flaw in IE? (Score:4, Interesting)
Honestly, there are major flaws in all browsers all the time, they're really complicated software and are the most exposed part of the computer at the moment, so lots of research is put into finding flaws.
The two continuing problems are:
1) The use of old versions. IE 6 sucks. No way around it. IE 7 sucks less, and IE 8 has a mix of good and bad things.
2) The time between updates. Some known IE bugs go patched for a long time, with about a 1 month minimum exploitation window, and often quite a bit longer. FF and especially Chrome are MUCH better about pushing out patches and getting their users to upgrade.
Re:?Senior? (Score:0, Interesting)
Re:Chinese govt inspection of MSFT code? (Score:5, Interesting)
It is worth noting that unless you specifically exclude IE8 from DEP (or disable DEP globally) then it is not vulnerable to this attack. You can also enable DEP (either via opt-in or by switching the default behavior system-wide to opt-out) for the previous IE versions.
Nonetheless, it's possible that the vulnerability was discovered in the manner you suggest. I'm not sure they saw the IE8 code, but if the same vulnerability is used on all versions it's probably in code that hasn't changed in a while.
China is a major IT threat ! (Score:4, Interesting)
Make no mistake, China is agressively attacking foreign systems and common software. They are stockpiling these zero-day exploits as potential weapons. They use one until it's discovered and patched, then wait until they have another high priority and then unwrap the next one.
When you see Symantec or Microsoft reporting an "undisclosed source" on new vulnerabilities, it's usually our own government that reported it after investigating a compromise. It's damn scary just how far the Chinese have wormed into the US corporate and military systems. For now they are content to quietly steal data and technology, but we're in deep shit if China decides to turn malicious. They have the power to level the US financial systems, military supply lines, utilities, etc which would quickly ruin the US. The reason they have not? It's not that they're scared of the US retaliating in kind - they clearly have the upper hand on that front. They need us to continue leeching our dollars and tech.
Re:You know what this means (Score:2, Interesting)
DEP may have prevented, why do they disable? (Score:4, Interesting)
This is a real mysterious thing for me since I enable DEP in all kinds of configurations, even including Virtual Machines. I use Windows mostly for critical/complex device driven things like phone firmware updates, backups which means dozens of drivers installed.
I also print via Bonjour under Windows, using a Airport USB shared Epson Laser printer which has a very complex driver.
There hasn't been a single issue I have seen regarding DEP being enabled for all programs. Even AntiVirus programs doesn't complain.
So, as we all know, some companies are "more equal" (look to Adobe/Carbon/OS X), which product likely prevents Microsoft from enabling it by default?
According to Wikipedia, Apple enabled DEP like technology back in OS X 10.4.0 days and nobody even noticed it. I am not seeing any mysterious crashes, performance issues even with software based DEP. So, why on earth DEP is defaulting to off?
Re:A major security flaw in IE? (Score:5, Interesting)
Honestly, if you think you can just slap a few open piece of software togeather and have a secure functioning browser, you're smoking something. There's a reason there's only 4 browser engines, and that's because it's *hard*.
Firefox is NOT doing well at producing a secure browser. They patch faster the IE, but every Mozilla 3.5 release has between 2 and 6 critical(read likely exploitable) security flaws. They have had 35 flaws total in the last 7 months. http://www.mozilla.org/security/known-vulnerabilities/firefox35.html [mozilla.org]
Chrome is doing somewhat better, but they have only 2% market share, and not as many people hunting for bugs. Still a number of critical bugs fixed last year.
Just ran sloccount [dwheeler.com] on firefox 3.5.7 source tree, and it says there are 2.7 million lines of code. For comparison, the Linux 2.6.32.3 has 8 million lines, so Firefox is only 1/3 the size of the full Linux kernel, including all drivers. .5-1 security bugs per 1k lines of code. That means we can expect 1350-2700 security bugs in Firefox.
The average code has about
Just so this isn't all about Firefox, Chromium (the open source branch of Chrome) largely reuses software as much as possible, and has 4.5 million lines of code. That's a huge project. They seem to have less custom parsers, but upstream bugs still do affect them.
The point of this isn't to say that Firefox or Chromium is worse then IE, it's just that modern web browsers are *complicated*. Security is hard even for small projects, and 2.7-4.5 million lines of code is not small. You can hate on IE all you want for web standards support (SVG and XHTML are two nice places to start), but they're actually not doing much worse then the other players for security at the moment. Yes, IE 6 is a piece of crap, and if you're still running that then you deserve what you get, but IE 8 is decent.
Re:Attacks targeted IE6 (Score:3, Interesting)
The bigger question is: they can see the pain IE6 is causing them through lock-in, yet they think their next salvation is to write apps using Silverlight?
not actually the problem (Score:2, Interesting)
DEP setting in IE? (Score:3, Interesting)
In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions.
To my knowledge, DEP is a setting in Windows, not in IE. Does Microsoft not know it's own product or is this some different setting?
Re:China is a major IT threat ! (Score:1, Interesting)
Don't be daft, China already owns a large chunk of the US and won't want to hurt its investment.
You can't have a national debt without someone doing the lending.
Re:Nice spin ! (Score:3, Interesting)
Numbers are largely irrelevant. Any code will have bugs, and a percentage of those will be security issues. Yes, careful design and reviews can and will reduce the number of bugs, but will not eliminate them. Especially for a complex system that has a large codebase with multiple components interacting with each other, and with external libraries and components.
FLOSS does not refute this.
What is more interesting is:
1/ Is the fact that a larger number of vulnerabilities are found in Firefox and Chrome because their source code is there for people and researchers to examine, instead of being known only to the company producing the closed source product because that company views any of these issues to be a low priority?
2/ How quickly do the security issues get fixed?
3/ How quickly since the fix is created, does it get pushed out as a release?
4/ How quickly do customers get the fix?
5/ How many customers are left running an unpatched system?
6/ What are the tools (valgrind, sparse, dehydra, cocinelle, coverity) like for tracking down these types of issue?
A major problem is the programming language. (Score:2, Interesting)
And most security flaws are due to the programming language used. Isn't it time to use another language? it even makes economic sense to CREATE an new language, since it will be used in so many projects afterward. Here are some of the vulnerabilities:
-Integer overflow, crash in libtheora video library
-Memory safety fixes in liboggplay media library
-Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
-Upgrade media libraries to fix memory safety bugs
-Heap buffer overflow in string to number conversion
-Heap buffer overflow in GIF color map parser
-Crash in proxy auto-configuration regexp parsing
-Crash with recursive web-worker calls
-TreeColumns dangling pointer vulnerability
-Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
-Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
-Heap overflow in certificate regexp parsing
-Heap/integer overflows in font glyph rendering libraries
See what are the errors? buffer overflows, integer overflows and out of bounds array accesses. This is because the language used to program this monster of a project does not handle correct overflows and out of bounds indexes.
How many billions of dollars should be lost in security problems before we realize that a major problem in writing secure software is the programming language? (please no 'it's the programmer's fault stupid' comments. The point here is to help the programmer community write secure programs, not promote the few god programmers that know how to do it without introducing any security problem).
Re:A major problem is the programming language. (Score:2, Interesting)
It is the programmers fault. Dijkstra is smarter than you. [utexas.edu]
The programmers could have chosen to add bounds checking, etc. to their programming. However, they did not, because that shit is slow.
People have been trying to create a new language that made all their problems disappear for 5 decades. It's not going to happen. It's the height of naiveté to believe otherwise.
Re:China is a major IT threat ! (Score:3, Interesting)
I am fascinated by your ideas and would like to subscribe to your newsletter.
It's damn scary just how far the Chinese have wormed into the US corporate and military systems
That would be scary if I didn't think you were just making that up.
The reason they have not? It's not that they're scared of the US retaliating in kind - they clearly have the upper hand on that front. They need us to continue leeching our dollars and tech.
Orrr... the Chinese don't actually have the godlike capabilities you ascribe to them.