IE 0-Day Flaw Used In Chinese Attack 318
bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."
A major security flaw in IE? (Score:5, Funny)
This is unheard of!
Re:A major security flaw in IE? (Score:5, Funny)
No no no, you aren't seeing it.
Google can stay in China, or pull out, or do whatever its nefarious plan is, and now they can BLAME MICROSOFT!
Don't you know what this means?!?!?!?!?!?
Clearly this is all an elaborate ruse to market Chrome!
Re:A major security flaw in IE? (Score:5, Funny)
Google can stay in China, or pull out,
It's far too late for Google to pull out of China. It should have known that the pulling-out method is not a reliable form of birth control, and now it needs to take responsibility for it and China's love child, Baidu.
Re: (Score:2)
Confused by Microsoft P.R.? (Score:5, Insightful)
Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:
"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."
Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:
'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'
At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) [microsoft.com] tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:
"... Internet Explorer 7 and Internet Explorer 8 on
At present, here is the full, confusing paragraph from that Microsoft web page:
"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."
For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster [nytimes.com]. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.
Re: (Score:2)
It's far too late for Google to pull out of China.
So exactly what is google going to do to China now?
Re: (Score:2, Interesting)
M$ profits and restricted access to the source code is the problem. Once you started dumping the closed source code onto essential technology infrastructure and only basically released the code to governments, especially those governments that oppose the concept of a modern democracy, well, guess what those governments would do with the bugs they find. Greed versus patriotism, let me guess which took the back seat in dealing with unstable undemocratic governments and corporate profits. Open source can have
Re:A major security flaw in IE? (Score:5, Informative)
http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html [cnet.com]. The microtrolls are bad enough of the mods but leave the out and out lies alone it looks silly.
Re: (Score:3, Informative)
Apparently they did -- or at least let them inspect/study it:
http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html [cnet.com]
Large national governments actually have enough leverage to get access to sourcecode that's not publicly available.
Re: (Score:2, Insightful)
Re:A major security flaw in IE? (Score:4, Informative)
Re:A major security flaw in IE? (Score:4, Interesting)
Honestly, there are major flaws in all browsers all the time, they're really complicated software and are the most exposed part of the computer at the moment, so lots of research is put into finding flaws.
The two continuing problems are:
1) The use of old versions. IE 6 sucks. No way around it. IE 7 sucks less, and IE 8 has a mix of good and bad things.
2) The time between updates. Some known IE bugs go patched for a long time, with about a 1 month minimum exploitation window, and often quite a bit longer. FF and especially Chrome are MUCH better about pushing out patches and getting their users to upgrade.
Re: (Score:3, Insightful)
browsers... are really complicated software
Uh, no, not really. It is not that difficult to manage the standard Internet protocols, nor is that hard to construct a DOM and render from it. Add a plugin interface for all the other stuff and you've still got a basically simple browser, that you can make as complex as you need or want.
I think you might be looking at IE as a sample of one, and extrapolating incorrectly from there. IE was designed intentionally to be a core part of the OS, in order to get around a court decision that MS didn't like. By f
Re:A major security flaw in IE? (Score:5, Insightful)
Oh really? Tracing JIT JavaScript interpreters are trivial? Parsing PNG, GIF, JPEG, SVG, and even more image formats is trivial? The rules for the same origin policy including inheritance to iframes and the like, cross domain access, content encoding, proxies, plugins, memory management, not to mention multiple tabs with concurrent access to all these things.. All these are all trivial to you? Man, I'd use your browser in a second, because no one else can manage the complexity. The standards are nice as far as they go, but not complete and there's lots of legacy crap out there. HTML 5 does codify better parsing behavior and other thigns that have been missing for the standard, but still doesn't cover everything.
For a very quick overview that just grazes the surface on how hard this stuff is, see the Browser Security Handbook [google.com] by Michal Zalewski.
Firefox lists 35 security flaws in Firefox 3.5 alone, and that's only been out since June.
Yes, ActiveX is/was/will be a bad idea, but at least it requires a click through now, and runs with DEP in IE 8. Plugins have the same problems on native code for Firefox and the other browsers too, now that Firefox has market share starting to see a rise in plugins and security flaws there instead.
Now, I'm not a Windows or IE fanboy, actually I hate the darn thing and run Firefox most of the time. But I do break web software for a living, and know how complex this stuff is and how nobody has it right. Both IE and Chrome have added some interesting security features lately to help contain flaws when they do occur, but nobody has yet written perfect software and there will continue to be security flaws in all browsers.
Re:A major security flaw in IE? (Score:5, Insightful)
The format is trivial, but oddly enough a secure parser is not.
One of the exploitable Firefox bugs this year is in the GIF parsing code, in a situation where there are multiple images in a GIF file, and one has a small color map and is malformed in a specific way, followed by one with a larger color map.
See https://bugzilla.mozilla.org/show_bug.cgi?id=511689 [mozilla.org] for more details.
Java and windows have also had GIF parsing security bugs in the past:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1 [sun.com]
http://www.checkpoint.com/defense/advisories/public/2008/cpai-02-Sepa.html [checkpoint.com]
Remember, this GIF parsing is but one of the things I mentioned, and I only mentioned a small faction of the potential bugs in any web browser.
This is why security is hard: Secure software is perfect software, and we don't write perfect software.
Re:A major security flaw in IE? (Score:5, Interesting)
Honestly, if you think you can just slap a few open piece of software togeather and have a secure functioning browser, you're smoking something. There's a reason there's only 4 browser engines, and that's because it's *hard*.
Firefox is NOT doing well at producing a secure browser. They patch faster the IE, but every Mozilla 3.5 release has between 2 and 6 critical(read likely exploitable) security flaws. They have had 35 flaws total in the last 7 months. http://www.mozilla.org/security/known-vulnerabilities/firefox35.html [mozilla.org]
Chrome is doing somewhat better, but they have only 2% market share, and not as many people hunting for bugs. Still a number of critical bugs fixed last year.
Just ran sloccount [dwheeler.com] on firefox 3.5.7 source tree, and it says there are 2.7 million lines of code. For comparison, the Linux 2.6.32.3 has 8 million lines, so Firefox is only 1/3 the size of the full Linux kernel, including all drivers. .5-1 security bugs per 1k lines of code. That means we can expect 1350-2700 security bugs in Firefox.
The average code has about
Just so this isn't all about Firefox, Chromium (the open source branch of Chrome) largely reuses software as much as possible, and has 4.5 million lines of code. That's a huge project. They seem to have less custom parsers, but upstream bugs still do affect them.
The point of this isn't to say that Firefox or Chromium is worse then IE, it's just that modern web browsers are *complicated*. Security is hard even for small projects, and 2.7-4.5 million lines of code is not small. You can hate on IE all you want for web standards support (SVG and XHTML are two nice places to start), but they're actually not doing much worse then the other players for security at the moment. Yes, IE 6 is a piece of crap, and if you're still running that then you deserve what you get, but IE 8 is decent.
Re: (Score:3, Insightful)
The shuttle software is near perfect, and it cost about $1000 per line to write. Average commercial code is crap and costs about $18 a line to write.
Also, with the rate of change in a web browser at the moment, I don't think you could write a perfect one even at 50x the cost, because projects don't scale that well.
All comes back to:
Fast, cheap, good. Choose two. Same as any other profession.
Re: (Score:3, Insightful)
Not only does MSIE being "folded into" the OS make it more difficult to debug, Microsoft have also developed a policy of updates according to the calendar. Most other software tends to follow a "when needed" approach to bug fixes.
Re: (Score:2)
Some known IE bugs go patched for a long time,
I think you meant "unpatched".
No, I'm pretty sure he was talking about IE.
Re:A major security flaw in IE? (Score:5, Funny)
This is unheard of!
Until it gets reported or exploited, then everyone knows about it.
Re: (Score:2, Funny)
I've been using IE for years and my computer has never been hacked once. On the other hand people keep breaking into my bank account, web mail, and stealing my card information. Man, I just wish someone would protect those things like IE protects my computer.
You know what this means (Score:3, Insightful)
Clearly instead of (or at least as well as) pulling out of China, Google should stop supporting MSIE.
And declare cyber-war on Microsoft. :P
Re: (Score:3, Insightful)
Why is Google even using IE? They have their own web browser. They should be eating their own dog food.
Re: (Score:3, Insightful)
Why is Google even using IE? They have their own web browser. They should be eating their own dog food.
Google hardly even uses Windows AFAIK. The IE vulnerability victims are likely the people who had their accounts attacked.
Re: (Score:2)
Re:You know what this means (Score:5, Interesting)
That is pure genius.
There are Sooooo many people that don't know how to find anything on the web without using Google that if Google did stop supporting IE, many of those people would start using Firefox simply to use Google. And that would be a huge foot-in-the-groin for Microsoft, even if it doesn't DIRECTLY benefit Google.
Methinks it would avoid any anti-trust issues as well.
Considering the topic of this thread, it might actually help to prevent further Chinese highjinks.
Re: (Score:2, Interesting)
Re: (Score:3, Funny)
When Ballmer said he was going to "f*ck!ng kill Google," you all just laughed (and dodged the occasional chair.)
But who's laughing now, Sergei? Who's laughing now?
More than just IE (Score:5, Informative)
If you bother to RTFA (I must be new here, right?) you'll see that it wasn't JUST an IE zero-day that was used in the attack.
So IE is partially to blame, but you can't just say that this is MS's fault.
Re:More than just IE (Score:5, Insightful)
Even if it were 100% microsoft, zero-days happen. The only problem is that with MS, they're 31 days, not zero days.
Re: (Score:2)
Exactly.
The attacks were targeted against specific folks, those whose computers were targeted for being compromised. "Spear Phishing"(dang that sounds stupid) is what it resolved around, they just happened to use a few zero-exploits to carry it out.
Re:More than just IE (Score:5, Funny)
You really are new here. Of course it was all Microsoft's fault. ;)
Re:More than just IE (Score:4, Funny)
you can't just say that this is MS's fault
Of course we can, this is Slashdot!
It's not stupidity (Score:5, Insightful)
Re: (Score:3, Informative)
Re:It's not stupidity (Score:5, Insightful)
Re:It's not stupidity (Score:4, Insightful)
The hard part is to understand just how long it takes to get a bug fixed!
I'm a developer. I write code, lots and lots of code. I'm responsible for a FARKING HUGE pile of code that I maintain for a vertical app with over 100 good-sized customers at a small software company. Our developers crank out code - reams and reams of code! we crank through the bugfixes like there's no tomorrow, and the speed of development is somewhere between crazy and insane.
But, when you leave this frenetic pace of development, when you leave the zone of developers, and enter the realm of corporate America, you find a completely different world inhabited not by crackerjack coders, but by "IT". People who don't write code, who don't craft solutions, and for whom a bug is a big deal.
These people don't create solutions, they implement them. They spend lots of time doing research. Addressing a single bug can take days, maybe weeks of time, and certainly not hours! And given this very high cost of bug management, being conservative is suddenly very valuable!
So, when we decide to switch, for example, from Firefox to Chrome, the only consideration is the bugs we'll find, and any we find we can take care in anywhere from hours to minutes, because we wrote the code in the first place, and it's not a big deal to fix.
But if you didn't write the code, if it's all gibberish to you anyway, and it's your job to get stuff to work anyway, you become very, very conservative very quickly. A solution may work with IE 6, and may only need a few CSS declarations and maybe a tweak to the .js file to work properly with Firefox/Chrome/IE8, but if you don't know how to make those slight changes, you don't change a goddamn thing.
Slashotters and other coders would do well to understand these people, as they are many and often in control of the purse strings of potential clients! They are the logical oppositve of the developer: risk averse, terrified of change, and work to avoid anything "interesting" anywhere possible.
Re:It's not stupidity (Score:5, Informative)
According to TFA, this vulnerability was in IE6.
No, only IE 5.01 SP4 and IE 8 are not vulnerable without enabling "data execution prevention." The attackers apparently targeted IE 6, but nearly all other versions can be compromised.
From TFA:
"A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.
In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn't say when an update would be released that patches the vulnerability."
Re: (Score:2)
"According to TFA, this vulnerability was in IE6."
TBH, I haven't read TFA. If TFA says the vulnerability was in IE6 alone, then I think TFA errs. I've read through 3 different related articles before seeing it come up here on slashdot. The vulnerability is also in IE7 and IE8. The fix is really simple - put your IE security settings up to maximum to prevent any DirectX from running, unless you specifically approve of it.
Of course, having your security settings on max is a real hassle. On my XP virtual
Re:It's not stupidity (Score:5, Insightful)
Fixed that for you. Warning overload is one of the biggest problems facing computer security today. Since so many of the warnings the average user is bombarded with are meaningless, the genuine threats get lost in the noise and are ignored.
See also: The boy who cried "wolf".
Re:It's not stupidity (Score:4, Funny)
That's one point of view. Another is, after 4 to 6 warnings, no one can claim to have been hit by a "drive by" without any warning at all.
"Look here, stupid. Firefox warned you TWICE that some unknown software could be malware. After which, Windows warned you twice. Look at the logs. You dismissed all four warnings, and purposefully installed this crap onto this machine. I think that we should go up front, and speak to the boss about your willful, and deliberate violation of company rules and policies."
An incident or six like this would probably motivate some people to READ the warnings, and give them at least a passing thought.
Re: (Score:2)
> Warning overload is one of the biggest problems facing computer security today. Since so many of the warnings the average user is bombarded with are meaningless, the genuine threats get lost in the noise and are ignored.
But... we're at code Yellow today! How can you ignore warnings when we are at code Yellow?
I agree BUT (Score:2)
There's not really a good way around it. The problem is that for real security separation, you are going to have a lot of "Can I have permission to do this?" type requests. That's the only way it works properly. If you implement ways around it, then other programs can make use of that. A good example would be the solution some Linux distros take to sudo/root type stuff. If you are configuring things, you often get asked a lot to escalate and people get mad about it. So instead, when you escalate, they cache
Re: (Score:2, Offtopic)
SharePoint 2010 does not fully support IE 6.0. It is a down-level browser. SharePoint 2010 does fully support FireFox, Chrome, Safari, and Opera.
Just thought you'd be happy to know.
Re: (Score:2)
Re:It's not stupidity (Score:4, Funny)
Right ... in the same way that you are no worse than the typical moron that would make such a statement.
Not IE, Adobe's PDF Reader 0 day Flaw (Score:5, Informative)
From the article in this post: The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks .
I love the "probably"
Re: (Score:2)
Re: (Score:2, Insightful)
Chinese govt inspection of MSFT code? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Insightful)
You are missing the other half of the equation there. The advantage of having the source isn't simply being able to see the code, it is everybody being able to see the code. This is the so called "1000 eyes" effect. Everybody being able to see the code gets bugs found and fixed sooner. Allowing the Chinese to see Windows code may very well h
Re: (Score:3, Insightful)
1. Linux, Firefox, Chrome and the other big open source projects have much more than "a handful" of people working on them. The number of eyes on each one is definitely more than 1000.
2. No it doesn't. Giving source code to everyone makes it easier to find vulnerabilities and, depending on who you are, either fix them or exploit them. Giving source code just to the Chinese government gives you the exploiters but not the fixers, ie. the worst of both worlds.
Re:Chinese govt inspection of MSFT code? (Score:5, Interesting)
It is worth noting that unless you specifically exclude IE8 from DEP (or disable DEP globally) then it is not vulnerable to this attack. You can also enable DEP (either via opt-in or by switching the default behavior system-wide to opt-out) for the previous IE versions.
Nonetheless, it's possible that the vulnerability was discovered in the manner you suggest. I'm not sure they saw the IE8 code, but if the same vulnerability is used on all versions it's probably in code that hasn't changed in a while.
I really doubt it (Score:2)
Not that they got access to the source, that is unsurprising, MS shares their source with governments, universities, and so on. However I doubt the Chinese scoured the IE code to find security flaws.
You find that for major projects, security flaws are most often not found looking through the source, but rather testing against a running program. Why? Well because there were always a bunch of skilled programmers that looked at the source, and they didn't see anything. As such, it isn't so likely you'll see an
Not PDFs? (Score:4, Insightful)
I've heard that PDFs were used, and that's the one that sounds the most logical. Whenever I've seen attacks against my network from the Chinese, it's always been in the form of malicious spear-phished PDFs.
Whatever they actually used against Google, there's not one easy solution. You can't just say that they should have used Firefox, because then the attackers would have exploited some random Firefox add-on that some people were using. I'm sure Google employees use every browser out there throughout the company. Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all.
Re:Not PDFs? (Score:4, Interesting)
"Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all."
I can't help but wonder if Firefox AND Foxit would have prevented this.
Re:Not PDFs? (Score:5, Insightful)
Oh really? (Score:3, Informative)
Well let's see here, how about we look at Firefox 3.0's list of vulnerabilities from Mozilla:
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html [mozilla.org]
Lotta red on there, and red means "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
How about 3.5? Hasn't been out as long:
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html [mozilla.org]
Less over all, as you'd expect, but seems an even greater percentage are critical risk
Re: (Score:2)
Ever click on a link in Acrobat Reader? Notice that it starts up IE and not whatever browser you have installed?
That's what happened.. of course the clicking on the link part was likely done with another flaw in Acrobat.
Leveraging flaws like this to get arbitrary code execution is about the only indication that these attackers were sophisticated.. otherwise it would just have been a dumb old "don't open the attachment idiot" attack. Although it was that, so meh, they're not that sophisticated.
Re: (Score:3, Insightful)
Acrobat vulnerabilities let you directly drop and install your malware on the system, you don't need to invoke a browser at all.
Um, why are people at google using IE? (Score:3, Insightful)
Seriously - makes no sense.
For the lulz. (Score:2)
Maybe for the same reason that Slashdot uses a 3Dified version of the IE5 logo as an icon for Internet Explorer?... and this on a website where people bitch endlessly about IE6, let alone something even more ancient...
They did it for the lulz.
Re: (Score:2)
Re: (Score:2)
No real fix... (Score:5, Interesting)
Sadly, microsoft doesn't seem to have anything you can do to fix this.
http://www.microsoft.com/technet/security/advisory/979352.mspx [microsoft.com]
It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.
What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.
'0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.
I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?
Re: (Score:2)
I'd be interested to know more about the social engineering aspect of this attack.
I would think that aspect of this would be obvious. They obviously received an email from an ancient Tibetian monk who recently came into a large supply of enlightenment pills, but needs help getting them out of the country. The attached PDF document contained all of the information regarding the pills, but the recipients were encouraged to act quickly as enlightenment is a valued treasure of the Chinese culture and supplie
Re: (Score:2)
It seems to me that in light of MS's inability to provide an adequate fix, the appropriate solution would be, in those situations where IE has to be used, to run Windows in a virtual machine that was well isolated from the real OS. This could be done under Linux or Mac.
No sign of vanishing (Score:3, Informative)
IE shows no sign of vanishing from the corporate landscape
I work at a big company that takes an enormous number of precautions to secure and protect the confidential information of millions of people. And we still use IE6 with no sign of changing any time soon.
Re:No sign of vanishing (Score:4, Insightful)
So basically your company has an enormous number of highly secured steel doors, but only three walls?
China is a major IT threat ! (Score:4, Interesting)
Make no mistake, China is agressively attacking foreign systems and common software. They are stockpiling these zero-day exploits as potential weapons. They use one until it's discovered and patched, then wait until they have another high priority and then unwrap the next one.
When you see Symantec or Microsoft reporting an "undisclosed source" on new vulnerabilities, it's usually our own government that reported it after investigating a compromise. It's damn scary just how far the Chinese have wormed into the US corporate and military systems. For now they are content to quietly steal data and technology, but we're in deep shit if China decides to turn malicious. They have the power to level the US financial systems, military supply lines, utilities, etc which would quickly ruin the US. The reason they have not? It's not that they're scared of the US retaliating in kind - they clearly have the upper hand on that front. They need us to continue leeching our dollars and tech.
Re: (Score:3, Interesting)
I am fascinated by your ideas and would like to subscribe to your newsletter.
It's damn scary just how far the Chinese have wormed into the US corporate and military systems
That would be scary if I didn't think you were just making that up.
The reason they have not? It's not that they're scared of the US retaliating in kind - they clearly have the upper hand on that front. They need us to continue leeching our dollars and tech.
Orrr... the Chinese don't actually have the godlike capabilities you ascribe to them.
Oh, but it doesn't count, right? (Score:5, Informative)
Because according to Microsoft, system vulnerability is determined by the following formula:
Vulnerability = (time of patch - time of discovery) * number of exploits.
Clearly, since the vulnerability was never publicly discovered, no patch was needed, right? Clearly, since the exploit was never published, it was not a security risk, right?
For years, those outside the FOSS community behaved as if an unknown or undiscovered (or rather, unpublished) exploit was not a security vulnerability for the purposes of calculating risk. Rather, we were led to believe, by MS and others, that only unpatched systems were vulnerable. For years, I watched as countless IT folks repeated the mantra that a fully patched MS system was just as secure as any other.
It always seemed obvious to me, but apparently not to others, that risk should be calculated using not on the time of discovery and publication, but rather, upon the ship date of the software. (i.e., a vulnerability discovered 3 years after ship date, but patched a month after discovery means your system was vulnerable for 39 months, instead of only one as the MS method calculated vulnerability.
I think Google is big enough that people will now recognize that system security is not just a matter of patch early, patch often, but also a characteristic of the entity behind the code. Despite what Microsoft marketing would have you believe, the company can't produce a secure OS because they understand neither the problem, nor even the question.
The reason Linux is more secure than Windows is due not merely to the fact that it is open source, but also because those who work with UNIX understand the problem of system security. It doesn't mean Linux is perfect, only that it fares much better from a total-risk perspective. Microsoft never really grasped that security was a fundamental system design consideration, rather than a problem to be patched on the back-end of SW development. While they have *tried* to address the security issues (and have been somewhat successful, but only due to their brute-force efforts), they still have a product-design mentality which places ship dates above system quality, and usability above overall security. The fact that they still consider anti-virus software and constant patching a normal part of computing indicates they've failed to grasp the lessons learned of the past 3 decades.
For Microsoft, security is a checkbox feature, not a way of doing business. Maybe, now that Google was compromised by a type of exploit Microsoft, et al, considered of minimal, if not zero, risk, the world will change its opinion of the acceptability of software requiring constant patches and add-on kludges (i.e. anti-virus sw) just to function normally.
what about companies ? (Score:2)
If the Chinese dare do it quasi-officially, I dare not think about the amount of corporate espionage that uses the same tools.
And still ... (Score:2)
... web sites continue to not warn their IE users about the security vulnerabilities in the clients those users are running. They could warn those users each time they visit with IE. But they don't. It's time the webmasters of the world start to do something about the problem and put a big full page notice in front of all IE based visitors warning them about the troubles with IE and urging them to switch to a safer browser (and give some links, too).
DEP may have prevented, why do they disable? (Score:4, Interesting)
This is a real mysterious thing for me since I enable DEP in all kinds of configurations, even including Virtual Machines. I use Windows mostly for critical/complex device driven things like phone firmware updates, backups which means dozens of drivers installed.
I also print via Bonjour under Windows, using a Airport USB shared Epson Laser printer which has a very complex driver.
There hasn't been a single issue I have seen regarding DEP being enabled for all programs. Even AntiVirus programs doesn't complain.
So, as we all know, some companies are "more equal" (look to Adobe/Carbon/OS X), which product likely prevents Microsoft from enabling it by default?
According to Wikipedia, Apple enabled DEP like technology back in OS X 10.4.0 days and nobody even noticed it. I am not seeing any mysterious crashes, performance issues even with software based DEP. So, why on earth DEP is defaulting to off?
DEP setting in IE? (Score:3, Interesting)
In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions.
To my knowledge, DEP is a setting in Windows, not in IE. Does Microsoft not know it's own product or is this some different setting?
Re: (Score:3, Insightful)
Or a firewall.
Re: (Score:2)
Some firewalls do inline malware checking
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Do you think google got compromised by an IE 0day? I doubt that. it was likely one of the many MANY other buggy pieces of code that everyone has installed all over their companies. Remember every year people spend their firefox 0day and pwn to own lust like they spend their IE and Safari 0day, which means browser bugs are typically worh less than 2k, which is on the low end of the vulnerability market.
Re: (Score:2)
Umm. yeah, the problem is that you can't (easily) uninstall IE.. and Acrobat Reader can be convinced to embed it.
Re: (Score:2)
Spam = money (Score:2)
Hmm, I wonder why the spammers aren't trying to attack Google? (or maybe we just dont know?)
If they could get into Google's codebase and find a way around anti-spam measures, that would mean tons of cash for them.
Re: (Score:3, Interesting)
Numbers are largely irrelevant. Any code will have bugs, and a percentage of those will be security issues. Yes, careful design and reviews can and will reduce the number of bugs, but will not eliminate them. Especially for a complex system that has a large codebase with multiple components interacting with each other, and with external libraries and components.
FLOSS does not refute this.
What is more interesting is:
1/ Is the fact that a larger number of vulnerabilities are found in Firefox and Chrome becau
Re: (Score:3, Informative)
According to that link, the XPS viewer is opening the XPS document in the default web browser which is Firefox. However, Firefox does not know how to render the Microsoft-specific XPS format and IE does.
This is not a Firefox problem, it is a problem with the implementors of the XPS viewer.
Re: (Score:3, Insightful)
This is a reply to a -1 Redundant post about how using a Mac could have prevented this, but there's a critical known flaw for Mac, iPhone, Apple TV, etc. that hasn't been fixed [theregister.co.uk] for seven months now...
Re: (Score:2)
Arciemowicz said the vulnerability could be remotely exploited using booby-trapped PHP code on a website, among other methods.
What? How would 'booby-trapped PHP code' on a website crash a machine? PHP is executed on the server, not on the client. If it can be exploited with JavaScript and HTML, I'd be interested in seeing an example of that -- as opposed to a C program... yeah, okay, an exploit, but I'd have to, oh, run a program I don't trust, which is always a security flaw...
Re: (Score:2)
I assume he means PHP code on a Mac OS X server running Apache or something. Some second hand distribution of a PHP application or distributed in a user contributed patch.
Re:?Senior? (Score:4, Insightful)
Re:?Senior? (Score:5, Insightful)
And, "some of us" find these posts amusing. The FACT is, Microsoft products are the primary vector for every malware known to man.
Using your logic, we should go back to dumping sewerage in the streets. I mean, yeah, it's kinda nasty, but plenty of people lived to be old aged in medieval Europe, right? They were probably the people who didn't click on purple apes too. Just forget about that plague thing. Over-hyped nonsense.
Re: (Score:3, Insightful)
I'm repeating myself from another story here on slashdot - but, if it's only the "unwashed masses", they why does Corporate America still lose and/or spend billions to malware and/or hacking?
And, I'll note here, I said "Microsoft products". I didn't limit myself to the operating system(s). Outlook and Office have contributed their share to the net losses to the corporate world. Anything else, that I'm neglecting? Microsoft has a lot of products, after all.
You're right, the most FREQUENT cause of data lo
Re: (Score:3, Funny)
Re: (Score:2)
I, for one, welcome our new Sino-Ballmerian overlords!
Re: (Score:2)
Re: (Score:3, Interesting)
The bigger question is: they can see the pain IE6 is causing them through lock-in, yet they think their next salvation is to write apps using Silverlight?