Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Internet Explorer Security Google IT

Code Used To Attack Google Now Public 128

itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."
This discussion has been archived. No new comments can be posted.

Code Used To Attack Google Now Public

Comments Filter:
  • This is shocking! (Score:5, Insightful)

    by eihab ( 823648 ) * on Friday January 15, 2010 @10:47PM (#30787502)

    The attack is very reliable on Internet Explorer 6 running on Windows XP ...
    That's apparently what happened at Google late last year, when hackers were able to get into the company's internal systems

    Google has employees running XP/IE6???

    The only way I run IE6 nowadays is in a VM and basically just to test websites we're developing on local/trusted hosts. I wouldn't dare accessing anything with IE6 (especially with reputable sites being hacked and all).

    All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

    This is a shocker!

    • by Anonymous Coward on Friday January 15, 2010 @10:51PM (#30787528)

      > Google has employees running XP/IE6???
      Where is this stated? Read carefully: "and it could possibly be modified to work on more recent versions of the browser, Marcus said."

      • and it could possibly be modified to work on more recent versions of the International Space Station / McDonalds Drivethru Menu Backlight / Diebold Voting Machine etc etc ...

        Blanket statements like this are at best ignorant, and at worst downright FUD.

        An exploit that works on a 9 year old version of the browser (6 years if you consider SV1 was the last major upgrade to IE 6), and two revisions back of the operating system (XP) is hardly newsworthy anymore.

        What *is* newsworthy however, is why exactly Google

        • And I should know better and close my italics properly. D'oh.

        • What *is* newsworthy however, is why exactly Google of all people are still using it ?

          To test that their sites work with all browsers, perhaps?

        • by jc42 ( 318812 )

          An exploit that works on a 9 year old version of the browser ... is hardly newsworthy anymore. What *is* newsworthy however, is why exactly Google of all people are still using it ?

          Oh, I dunno; I've been doing some testing against IE6 lately. My motive is fairly trivial. I'm developing some Web stuff for an organization (which one doesn't matter here), and I did a bit of a survey to find out what browsers their people are using. IE6 turned up fairly high on the list. I've also sent announcements aroun

          • Yes, fine, test boxes ... NOT production servers with access to the storage system where these bloggers details were stored.
    • Re: (Score:3, Insightful)

      by bfree ( 113420 )
      Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.
      • Re: (Score:1, Interesting)

        by Anonymous Coward

        I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux.

        Digg and Slashdot won't display correctly in that version of firefox (so much for web standards). There are people out there who can't change for good reasons.

        • Can you give us some of those "good reasons"?

          • Nobody attacks Firefox 2.x anymore, so it must be secure!!!1!!
          • Re:Example? (Score:5, Insightful)

            by eihab ( 823648 ) * on Saturday January 16, 2010 @01:18AM (#30788262)

            Can you give us some of those "good reasons"?

            I can. I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

            The software they used modeled their business and also ran their books (accounting, employee hours, etc.).

            They were not a computer shop, and couldn't possibly fathom why they needed to upgrade their machines.

            Their sentiment was: we paid $xx,000 for this software, and we can't even begin to imagine life without it. It's quirky and does some things it shouldn't do, but it works good enough.

            I'm not saying it was the best solution to stay with what they had, but honestly, it did work and everyone (non-techies) were very proficient at it (they even learned the shortcuts for crying out loud!).

            It's hard for us geeks to understand that people can run s*itty software and be "ok" with it. But they have different measures of what's tolerable and what is not, be it ROI, comfort zone or overhead of re-training staff.

            And yes, they believed in the software so much that they shaped their business and processes around it. Sad, but it happens, everyday.

            • by XanC ( 644172 )

              None of that is a reason to run IE6 or Firefox 2. Sounds like the latest versions of IE and Firefox will run just fine on what they have.

              • by erlando ( 88533 )
                The largest bank in Denmark has all its employees running IE6 on Windows XP. The reason? It will cost $XX million to modernize all the legacy mission critical only-running-on-IE6 software.
              • IE8 requires at least XP. Firefox 3.5 requires at least Windows 2000. So you're completely wrong.

                • by XanC ( 644172 )

                  I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

                  • I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux.

                    Apologies I made the mistake of not reading properly and thought you were responding to this one.

              • by eihab ( 823648 ) *

                I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. ...

                There are people out there who can't change for good reasons.

                Can you give us some of those "good reasons"?

                I can. I did some contracting work for a company before...

                I'm not the GP/AC, I was chiming in about why some companies have their reasons to not change. It wasn't about which version of OS/browser anymore.

        • by Gr8Apes ( 679165 )

          I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux....There are people out there who can't change for good reasons.

          No, there are people out there who drank the coolaid and built systems on alpha software and refuse to change. That's different than cannot change like a leopard can't change its spots, but it can certainly decide to eat the rabbit over the snake.

        • So because you found a single company stupid enough to use such terribly obsolete pieces of software, I have to change how I test my product?

          This is what is wrong with web development, in a nutshell.

      • by eihab ( 823648 ) * on Friday January 15, 2010 @11:11PM (#30787598)

        Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser

        I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

        My company has high-profile clients who run IE6. I've lectured on-and-on about what a terrible browser IE6 is. But at the end of the day, if SVP of Marketing is running IE6 because of their IT department, and they look at the site and it's broken, then guess who they get to blame?

        I happen to do freelance work on the side (for extra s*its-and-giggles), and when I do that I run the show and basically say "If you want IE6 support, you have to pay $X,000 extra." and honestly, if the project is not that challenging I will just refuse to take it regardless of how many zeros are in-front of the decimals on the check.

        I _hate_ IE6 with a passion (and 7 and somewhat 8 for that matter), but I have to do what I have to do to pay mortgage, keep the lights on and feed the kids.

        It's not _that_ self demising. The main reason I get up and go to work everyday is to provide for my family. I may enjoy it and I may not sometimes, but that's not the question, it's what gets the job done for my (our) clients that will pay for the life-style I've chosen to take.

        If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

        • by jo42 ( 227475 )

          You're marketing it all wrong. You need to sell the downloading and installing of the Firefox plugin for IE6...

        • by Gr8Apes ( 679165 )

          at this point, I purposely break IE6 by including certain 3rd party libraries that are standards complaint yet don't work in IE6. I have that little notice that this site may not work properly in IE 6, along with a link to Firefox and Safari.

        • Re: (Score:2, Funny)

          by Anonymous Coward

          If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

          You're doing it wrong.

        • As long as after work you keep your skills up on modern tech, taking the customer's money to do the stupid thing is a wise course. Advising them, giving the chance, telling them that it's stupid is the moral choice but if not asked there's no shame in doing what you can with what you've got.

          Actually there's an opportunity here - but I'm not going to enumerate it because then you'll be competing with me.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          This is exactly the reaason having kids, family, lights and such other things is EVIL.
          Having them forces people to do evil things just to mantain them.

          • I know you're trolling, but there is NOTHING 'evil' about supporting a commonly used browser while also trying to eductate one's customers about alternatives/upgrades. Get a life :)

        • Comment removed based on user account deletion
        • by ckclark ( 311376 )

          If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

          Everyone seems to be talking as if the problem stops at having IE6 installed. To be exploited, the more stupidity is required. Minimally, the user would have to launch IE6 and visit a malicious web site and probably do a couple of other things as well...

          So maybe someone was doing exactly what you say... ;-)

          • by ckclark ( 311376 )

            Okay, I have to admit that I should have read the code for this exploit first, because this one has a visit-only requirement. There's a nice video showing metasploit to do this:

            http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

            • And don't underestimate how many people will surf on dubious websites, even at work. An anecdote:
              I know a guy who works in IT at a medium-sized German corp. Surfing porn sites at work is forbidden. Yet that guy told me once that he built his porn collection by searching users' hard disks for porn and copying it for himself ;-)

        • I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

          You GOT to be kidding! Do you really believe that?? Are you really that worthless to your boss? Or do you only sell yourself as being worth nothing? Do you say yes and amen to everything? Never learned to say no to your boss?
          Well, after just watching the last episodes of “The Middle”, I am truly horrified at what you teach each other to do:
          See yourself as less worth than a dog, and cave to every abuse anyone throws at you.

          I think you are better than that! After all he hired you!
          You know how some

          • by eihab ( 823648 ) *

            Ok, so gender-wise it's reversed. I'm a "he" and my boss is a "she" :)

            I stood up to bosses before, many times actually. I worked on (lead and developed) a huge custom web-based CMS in a job I had before. My boss was a past programmer and kept nagging me about putting all the sites/clients in one centralized database.

            I whole-heatedly disagreed for performance and junior-programmers-writing code-unchecked reasons (which I tried to address separately). And I simply didn't do it. I told him flat out, if you wan

      • Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

        No, because most average computer users will simply not visit the site again.

      • by tixxit ( 1107127 ) on Saturday January 16, 2010 @01:04AM (#30788192)

        Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

        Perhaps some sites can get away with dropping IE6 support, but, at least for my employer's main public site, IE6 accounts for 20% of our users. Should they use a better browser? Yeah. Can we get away with kicking sand in the face of 1 in 5 of our users? Hell no.

        • by Will.Woodhull ( 1038600 ) <wwoodhull@gmail.com> on Saturday January 16, 2010 @01:25PM (#30791920) Homepage Journal

          Twenty percent of PP's users are still with MSIEv6. Looking at this in the context of the 80/20 rule of business brings these questions to mind:

          1. In general, 80% of customer-related costs are generated by 20% of the customers. How many of the these MSIEv6 users fall within this 20% group?
          2. In general, 20% of customers account for 80% of sales revenue. How many of this top quintile of customers are using MSIEv6?
          3. As a rule, it is worthwhile to identify the much smaller number of customers who are in the intersection of these two groups and treat them as special cases, red carpet treatment, whether they use MSIEv6 or not. Could this be done in PP's situation?

          For many businesses this analysis is going to show that the bottom line could be improved by dropping support for MSIEv6. Pruning customers whose support costs more than the revenues they provide is good business sense (selling at a net loss never makes good sense). There are of course niche markets where this isn't true, such as direct sales of adult incontinence supplies. But even those niches are shrinking.

      • by TheLink ( 130905 )
        There's probably plenty of stuff that still requires IE6 to work.

        For example: HP's iLO stuff appears to be very browser type, version and configuration sensitive. We've had some problems using HP iLO with IE8.

        Yes it works with IE7, but in our company the class of machines that upgraded to IE7 would be on IE8 by now (or would soon be).

        The rest would still be on IE6.
    • That admin has a hot rack.
    • by antdude ( 79039 )

      I still use and have to support it. MS still also supports it. :(

    • Well, it's not entirely unbelievable to think that there might be a computer somewhere in Google HQ that hasn't used IE in 4-5 years, and if someone went to a website that said it required IE, and you just clicked the blue button and typed in the address, yes, something like this could happen.

      And it's a believable explanation that doesn't assume malice or stupidity on their part.
    • Re: (Score:1, Informative)

      by Anonymous Coward

      Even more shocking to me, after last December's SAP system *upgrade*, our company's customer relation software only works on IE6, IT officially announced that IE7 and later are not supported. We are asked to downgrade out browser to IE6.

      We are a big tech company in the US.

    • by QuantumG ( 50515 ) * <qg@biodome.org> on Saturday January 16, 2010 @05:40AM (#30789090) Homepage Journal

      Gah. Why does this stupidity keep getting repeated?

      IE6 comes installed with Windows XP.. you can't uninstall it. For people who *never* use IE, that's the version we're going to have installed.

      The problem here is that Acrobat Reader was embedding IE to display some user controllable elements. So the attack is:

      1. Send the target a PDF.
      2. They open it in Acrobat Reader.
      3. Acrobat Reader loads up IE to display some elements of the PDF.
      4. The embedded code triggers and exploit in IE.
      5. Arbitrary code execution follows.

      And yes, it is a totally lame attack but it works because:

      * Way too many people use Acrobat Reader to read PDFs (monoculture)
      * IE can't be uninstalled, and no-one updates a browser they don't use.

      End of story.

      • Re:This is shocking! (Score:4, Informative)

        by eihab ( 823648 ) * on Saturday January 16, 2010 @01:36PM (#30792014)

        For people who *never* use IE, that's the version we're going to have installed.

        Wrong. IE7 and IE8 have both been pushed via windows update servers and if you have automatic updates on, you will be running IE8 right about now.

        If you work in a company with more than 3 employees (or have competent IT) you will probably be using WSUS or any other patch management software. Your IT department would have been offered to upgrade all the machines to IE8 around mid last year, and IE7 (as a critical update IIRC) even longer before that.

        Basically, the only way for you to be running IE6 is if you couldn't be bothered upgrading your machines or if you're doing it on purpose because of a legacy app.

        What was shocking to me is that Google would do either one of those.

        IE can't be uninstalled, and no-one updates a browser they don't use.

        If you're stupid enough to refuse upgrading a major component of your system just because you don't think you're using it, well, then you deserve what you get.

        • If you're stupid enough to refuse upgrading a major component of your system just because you don't think you're using it, well, then you deserve what you get.

          You weren't addressing to me directly, but *I* wasn't using it, I just found out from the poster's informative post that Adobe Acrobat Reader was using it.

          Rather than upgrade something I can't get rid of, I will be uninstalling Acrobat Reader and anything else that uses it.

          • by eihab ( 823648 ) *

            You weren't addressing to me directly, but *I* wasn't using it, I just found out from the poster's informative post that Adobe Acrobat Reader was using it.

            Rather than upgrade something I can't get rid of, I will be uninstalling Acrobat Reader and anything else that uses it.

            And how will you know if another program on your system isn't using it?

            It's been established that IE is part of Windows. Whether you use it or not, it's a major component in your chosen OS and it needs to be upgraded with everything else.

            So le's rephrase that to anything stupid enough to not use my default browser without my permission deserves to be uninstalled.

            I'm still sticking with "people should upgrade all of their OS components". The "stupid" in my last post was a result of being slightly pissed-off at the ignorance of the parent's post.

            If Windows' update requests that you upgrade something and mark it as critical, then for

      • And yes, it is a totally lame attack but it works because:

        * Way too many people use Acrobat Reader to read PDFs (monoculture)
        * IE can't be uninstalled, and no-one updates a browser they don't use.

        End of story.

        wow, I had no idea Adobe was doing that. I will have to get that Firefox PDF reader plugin ad uninstall Acrobat Reader if they are using IE. (I have the included IE version with XP and never upgraded it, like most non-IE users.) Acrobat has its own security problems and I reluctan

    • Because IE6 is still a very widely used browser and therefore every large internet company needs it around to test stuff.

    • All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

      Here's another option for being forced to use IE6: still running W2K here. Unfortunately, MS decided "IE7 needs >= XP". So, until we replace our hardware, we can't upgrade to IE > 6 (which we would like to do, believe me, IE6 sucks hard). And no, we can't replace IE with another browser. 3rd party software requires IE i

    • by lieden ( 897813 )

      Remember, Google also employs lawyers, accountants and any number of non-dev staff.
      I would bet that most IE testing is done in the VM world, but not every Google employee works in tech - a lot of them probably just want Quickbooks and Exchange/Outlook to work. Maybe that was a hole in the armour and lead to an attack vector.

      It's another issue that these people would have access to raw Google data. That's no good. But I doubt there's any significant number of the people one typically thinks of as a Google
    • by eionmac ( 949755 )

      http://news.bbc.co.uk/1/hi/technology/8463516.stm [bbc.co.uk]

      German government warns all against using MS Explorer, any version.

  • by Peter Steil ( 1619597 ) on Friday January 15, 2010 @10:49PM (#30787518)
    Seems like running IE4 on windows 95 has paid off....finally! Now if only active desktop worked properly...
    • So you are the one that has sales demanding we support old browsers.

      Right men, we got its location, capture is imminent.

      Anyone want to set up a poll what do with him?

      It better have a cowboyNeal option.

  • by Proudrooster ( 580120 ) on Friday January 15, 2010 @10:58PM (#30787558) Homepage

    http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ [praetorianprefect.com]

    Yawn, another unpatched MS browser exploit.

    I hear there are several more for sale...

  • I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet, the benefits versus the liabilities seem way out of proportion.
    The fact that a bit of code can compromise governments is a strong indicator that no one really knows what they are doing in said government, and also begs the question why isn't Microsoft held liable for

    • by Anonymous Coward

      I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet

      It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.

      • Re:A Question (Score:4, Insightful)

        by tagno25 ( 1518033 ) on Saturday January 16, 2010 @12:09AM (#30787930)

        It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.

        unless there is no cable connection them to any device that has access to the outside world, USB ports and CD/DVD drives are disabled, you use security on the cables, and you do not run Windows.
        If you connect ANYTHING that is not approved then you can be fired and then sued if anything happened because of it.

        • ...and then sued if anything happened because of it.

          Even that's a tricky path to cleanly draw; How can you know that that USB keyfob didn't have something on it that exploited a flaw in the FAT filesystem driver, and leave a clock-triggered piece of malware? Safest bet for a known incident is to wipe and reinstall. There are ways of doing such things automatically. :)

    • by DeadPixels ( 1391907 ) on Friday January 15, 2010 @11:40PM (#30787764)
      Have you seen any of the new IBM commercials? We have to "build a smarter electrical grid", and if that means connecting our generators to 4chan, then so be it!
    • It's not a strong indicator that no one really knows what they are doing per se. First of all there is a big difference between a private network that is cut off from the internet and contains access to a lot of very sensitive data and a public network with employees working with semi-sensitive data.
      Beside that it will always be a cat and mouse game and the type of browser (despite IE6 being very bad) with all currently populair browsers in mind wouldn't make that much of a difference because people will al

      • by DarkOx ( 621550 )

        Why should Microsoft be held responsible for these issues?

        As a principled person I see your point and I agree with it. I would point out though in practice that software companies are treated in-congruently with regard to liability.

        Manufacturers of other goods are held accountable when safety equipment fails. IE has all sorts of "safety equipment" these days, pop up blocking phishing filters; the whole trusted untrusted sites thing goes back to IE6 and prior.

        Suppose you got in a car accident and the airbag failed to deploy; I suspect you could hav

        • by Grygus ( 1143095 )

          This is true, but the key difference is that people aren't mucking about with the latest installation of their airbag, and criminals aren't gaining access to peoples' cars without their knowledge and tampering with the airbag; in other words, if the airbag fails it's very likely the manufacturer's fault, they exercise almost total control over the system in the vast majority of cars.

          Contrast this to computer security problems, which are sometimes the fault of the security provider (in this case Microsoft) b

    • by AHuxley ( 892839 )
      IBM had monopoly issues, so they spun off their desktop to Microsoft via a trusted known, wealthy family name, Gates.
      The sort of people who understand IBM dealing with ww2 Germany and medical clinics for the 'poor'.
      Microsoft then went after schools and trained a generation of young dumb mouse clickers.
      Sadly they have now grown up and infected most of the US network from point of sale to your power systems.
      Some parts of your government do not trust MS, but then they do not trust you.
      The benefits are an ave
    • Making a country secure is easy.

      Everyone mandatory implanted ID that can't be removed or altered without dying, say a chip implanted in the brain that extends barbs.

      Tracking posts everywhere. All travel recorded and logged.

      1 computer system, can only be activated with ID. No 3rd party software let alone your own stuff, every access is recorded and logged for 10 years minimum.

      Should I go on? It is easy to implement and will eliminate all security problems. Feel free to take these ideas for when you run f

  • So... (Score:4, Funny)

    by fuzzyfuzzyfungus ( 1223518 ) on Friday January 15, 2010 @11:08PM (#30787588) Journal
    Who else suspects that Google is stepping up internal use of Chrome?
  • by Anonymous Coward

    Next time somebody tells you that their organisation can't switch from Internet Explorer 6 because of legacy intranet applications, point out that virtually all of Europe switched from their own centuries-old currency to the Euro in less time than it's taking to get rid of Internet Explorer 6.

    • Re: (Score:3, Insightful)

      The difference is benefits vs drawbacks. With the Euro, the county (especially the smaller countries) got a lot more buying power and therefore more wealthy for minimal risk. With switching from IE 6 the company will -lose- money, especially in the short term to change from IE 6 and get little in the long term. Why fix what isn't broken (in the eyes of management). All the management sees is that it would cost $10K to go from IE 6 to IE 7 for a savings of $0.
      • by omb ( 759389 )
        This is such a dumb American attitude, I hope your Company can work without its intellectual property and computer systems. I assume you dont have insurance as well!
      • Re: (Score:3, Interesting)

        by Grygus ( 1143095 )
        To be fair, the case we make for IE8/FF3/Win 7/whatever is the same spiel we gave them to get them to switch to IE6/FF2/Win 98. It's a never-ending treadmill, it's not surprising that they'd see the entire enterprise as a bottomless money pit and want to get off at some point.
  • by danielkennedy74 ( 1543159 ) on Friday January 15, 2010 @11:18PM (#30787634)
    The following links to an example of using this vulnerability in Metasploit to compromise a user's PC, in essence what happened to users at Google and some 30 other companies via bad actors assumed to be Chinese Nationals: http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ [praetorianprefect.com]
  • While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.
    • Re:IE6 (Score:4, Insightful)

      by RobertM1968 ( 951074 ) on Saturday January 16, 2010 @12:53AM (#30788160) Homepage Journal

      While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.

      Really? What do you base that on?

      - First, there have already been a ton of exploits for IE7 and IE8 - and even some patches.

      - Second, Microsoft never seemed to say that IE7 or IE8 were not vulnerable. They very carefully said this instead:
      "At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

      That states there are other affected versions... but Microsoft hasn't seen attacks against them. I could care less what Microsoft has seen... they also "saw" XP and IE6 as secure (pre Service Pack 1).

      It also means the other affected browsers are... IE4? IE5? IE7? IE8? I wonder which ones of those are the ones they are talking about? I could almost bet you that it's not a pre-IE6 browser that they are talking about.

  • Anyone else find it amusing that Google has its very own web browser [google.com] yet IE6 is apparently still widely deployed on their desktops?

    • Given the fact that the use of a web-browser is the main source of income for Google combined with the fact that IE6 still has a 10% market-share..
      I'd be willing to bet that a shitload of people working at google simply need IE6 in one form or another to get their job done.

    • Re: (Score:1, Informative)

      by LordThyGod ( 1465887 )
      Not at all. This is the MS legacy: install XP, then install Firefox (Chrome, Safari, whatever). But you can't uninstall IE, and if you never use it, its sitting there at 6. And the exploit does not require actively opening the browser, just that its installed. One more reason to run away from anything from MS. How MS got away with claiming that the browser is so integral to the OS that it can't be uninstalled, is one of the great mysteries of the universe.
      • Dear Mr. LordThyGod:

        Your statement:

        How MS got away with claiming that the browser is so integral to the OS that it can't be uninstalled, is one of the great mysteries of the universe.

        Leads me to think that your Deity card needs to be revoked or significantly downgraded. If that is one of the 'mysteries of the Universe", how the hell are you going to deal with something complex like calculus? I really don't think you ought to be running things, sir. Would you step this way please?

  • I can not believe that Google, with all of its vast resources and years online, that a few email accounts getting hacked all of sudden set them off to pull out of China. They are pretending to the press as if this is something special or new on the internet that China is doing, or that these couple of "attacks" from China are too much. Google has got to be just hammered by Chinese attackers, and they make it sound like no other gmail account has ever been hacked. I bet they get thousands of illegally hacked

  • by MadMaverick9 ( 1470565 ) on Saturday January 16, 2010 @02:35AM (#30788526)

    It doesn't matter which browser you're using ...

    If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.

    Until users change their behavior and start using least-privilege accounts while surfing the web, it's wrong to blame the browser.

    Microsoft even says it in their security advisory kb 979352: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

    And this applies to any OS: Linux, Windows, Mac OS, etc.

    Rootkit - contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior admin access to execute and tamper with system files and processes.

    • Re: (Score:3, Interesting)

      by dotwhynot ( 938895 )

      It doesn't matter which browser you're using ...

      If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.

      I don't disagree with it being better not running as admin, but a lot of malware will live quite happily in your userspace. And if a user privileged account is compromised there are privilege escalation exploits to get admin level, for fx rootkit if that is what they are after. MS is on to something with the IE8 protected mode sandbox in Vista/W7, running with lover privileges than even normal user. But it's just one part of this puzzle.

  • YES. Finally.

    Kill IE6. Kill it with fire.

  • by indros13 ( 531405 ) * on Saturday January 16, 2010 @09:36AM (#30790188) Homepage Journal
    ...to code.google.com.
  • I'm a para-geek (a tech writer, actually), so don't understand the technical aspects of this. But I do sense the well-known fear that keeps products like IE6 running over corporate LANs. As I said in this post [dailyrevolution.net]:

    ...the corporate mind is going to have to learn some courage if it is to discover its conscience. “Do no evil” (Google’s motto) is not enough, even if its intent is genuine. Aversion betrays an underlying fear; it is the software patch, the unending trail of ineffectual security upda

  • Microsofts greatest innovation is to steal it. Haaaaaaaaaaaaaaa Haaaaaaaaaaaa Haaaaa And their totally SHIT browseR/s.... I have more security if I pull down my pants and hang my bare arse out of a tree at night in the park. LOSERS. I hate microsoft - I hate microsoft - I hate microsoft.... Traaaa Laaaaaa Laaa Laaaaaaaaaa

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors

Working...