German Government Advises Public To Stop Using IE 320
Posted
by
Soulskill
from the enough-is-enough dept.
from the enough-is-enough dept.
An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"
A stinging lesson (Score:5, Interesting)
To be fair to Microsoft (Score:5, Interesting)
This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.
Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.
IE8 alledgedly super-safe (Score:5, Interesting)
Good (Score:1, Interesting)
Joe public needs to upgrade already, and I don't care if governments have to dumb it down to "IE steals yu0r megahurtz, and means you support TERRORISM", so long as the message gets though.
(Screw the corporations that got locked into IE. They can use IE as an intranet client, and use a real web browser for ... wel browsing.)
Re:To be fair to Microsoft (Score:5, Interesting)
Something like this has been in at least limited operation for a couple of years.
File suit, not just follow suit (Score:1, Interesting)
Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?
Surely you mean file suit. IE is so widespread that it should be possible for it to be treated like a public utility and then sue Microsoft despite their "no warranty" EULA clause. Cory Doctorow, we need your input on this.
Re:Right Decision? (Score:5, Interesting)
DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.
But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.
The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.
Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.
Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.
Not a bit late? It is like a spy platform already (Score:5, Interesting)
I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."
Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.
Perhaps they can't (Score:4, Interesting)
Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?
What would happen?
In fact, even if a tool has upgrade and released by vendor, you can't roll IE 8 to all the machines without testing it yourself in numerous scenarios. It is not like launching Windows Update and click all security updates blindly. Even on OS X, as 10.6 shipped, companies/DTP/Video guys have finally moved to 10.5.8. When 10.7 ships, they may move to 10.6. People can't trust to Apple for updates let alone blindly updating/patching their windows which is way more complex.
Re:People are used to it (Score:3, Interesting)
Having viruses and other types of malicious software running on the computer is so common that people don't care anymore. Seriously.. I see people working in the middle of a "adware popups up window, user closes it" kind of game and they don't even seem to bother. When is this going to change???
Use fascist GPOs (Score:5, Interesting)
In our company, we have resorted to implementing a fascist GPO to solve the problem. Actually, in the untrusted zone, IE can't:
- run javascript
- directly launch an associated application (like a PDF)
- run Flash
- run ActiveX
- change of the default home page
- install toolbars
- use any other search provider except Google
amongst others. It has become a sport to lock down IE as much as possible without removing it completely - this encourages using other browsers.
Annoying people so much that they switch browsers has actually been the best strategy so far to prevent IE security problems in a predominantly windows company.
Re:Not a bit late? It is like a spy platform alrea (Score:2, Interesting)
Anything more dangerous than IE? Yeah. Adobe Flash. One implementation, almost the same code, across every browser and on several platforms.
Oh, wait, wasn’t there just a 0day in that?
Also, that exploit is the other “Chinese” 0day, which targets Adobe Reader, rather than IE. Firefox would be just as vulnerable if the Adobe Reader plugin was installed, or if you subsequently opened that PDF in Adobe Reader (other PDF readers are, of course, not affected).
They didn’t find this vuln themselves. They bought it off the black market from a blackhat, like anyone else could have. They bought the Gh0st RAT (remote access trojan) tool as well, which isn’t particularly brilliant but clearly got the job done due to some very clever and determined targeting. Probably a budget of less than $30k-worth for this whole operation. Very cheap, considering some of the quality SIGINT they got.
Besides, this particular 0day targets XP. As it stands it is non-functional in Windows Vista or 7, due to the ASLR changes. (It could be modified to extend that, as all versions have the bug, but that work hasn’t been done yet and the particular exploit may not reach 100% reliability.)
MS will probably issue an out-of-cycle patch. It’s Adobe you should be angry at.
Re:Right Decision? (Score:3, Interesting)
Java inherently has the ability to both write and execute code
But not at the same time. One of the OpenBSD guys had to do with their port (which is now in mainstream), and which I helped implement for LLVM, is W^X support. DEP is Microsoft's implementation of W^X, i.e. no page may have both write and execute permission at the same time (although they only support it properly on CPUs with the NX bit; OpenBSD does it using horrible hacks involving relocating pages within segments in the absence of NX page protection). That means that you can't execute data that you write into memory unless you issue a system call to change the page permission. To do this you must already be able to make the program do what you want, so you need some other exploit.
Re:Right Decision? (Score:3, Interesting)
How long must this go on? (Score:3, Interesting)
You know your product's reputation is in trouble when a government advises the public to dump it.
Dude, that was the case back ten years ago, too. Facts and technical data don't play a role in situations where Microsoft products get deployed.
You know you have a cult-like following when governments, research universities and a handful of computer magazines advise the public to dump your product and it still retains market share [groklaw.net]. Having EULAs that prohibit benchmarking doesn't hurt either. Nor does it hurt to have insiders [linuxtoday.com] paid for by the victim's own budget.
How long must this go on? Put a dollar value on the damage and then put out warrants for Microsoft executives and interns, past and present.
Re:A stinging lesson (Score:3, Interesting)
your online assessment and training solution for Microsoft Office 2007
You got any that aren't Microsoft affiliated?
Re:Firefox doesn't even ship official MSI (Score:5, Interesting)
You've obviously never dealt with EXEs that are repackaged MSIs and the deadlocks that result during upgrades.
Firefox doesn't need to be an MSI in order to fit into network wide config/update systems.
All of it can be done via command line switches. They uses NSIS, as do I, and my corp users have no problem rolling out updates and installs via GPO or login scripts.
People that use the MSI excuse are just ignorant and don't know how to admin the network they are one.
For the record, WIX is a pile of shit, InstallShield is worse, and is notorious for fucking shit up because it likes to inject itself inbetween the start menu/desktop/quickstart icons and the app so it can 'check the integrity of the files and restore them to their original state if corrupted'. Translation: When you go to uninstall it, you fucking can't if you don't have the original MSI, and for fucks sake don't plan on upgrading if don't have the original MSI and the new one doesn't have all possible older versions embedded in it.
Anyone suggesting that MSI is a good idea has absolutely no experience or knowledge in the field, or they work for MS or InstallShield. In short, if you push MSI, you are, and I can't say this any nicer, a complete fucking moron.
Re:A stinging lesson (Score:1, Interesting)
Re:Right Decision? (Score:1, Interesting)
>> Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.
What's odd is how you're also minimizing the fact that other browsers also get updated more frequently and diligently with this deceptive statement.
Re:A stinging lesson (Score:3, Interesting)
A quick visit later, it seems to work fine in firefox...
Re:A stinging lesson (Score:2, Interesting)
> Why does someone need to view a pdf in a browser anyways?
Why does a program to interpret and display the data in a PDF have to expose you to danger anyway? Text and graphics, right?
Wouldn't it be better if there were a wysiwyg mode as part of HTML? So you could genuinely display it the same on each browser, assuming you had the screen resolution required, or didn't mind scrolling? (There's a PDF reader on my phone, and that has a 'reflow' option to wrap text so I don't have to tediously scroll around the image anyway)