Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Microsoft Security The Internet Technology

Microsoft To Issue Emergency IE Patch 79

Posted by samzenpus
from the protect-ya-neck dept.
CWmike writes "Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said, as it also admitted that attacks can be hidden inside rigged Office documents. 'We are planning to release the update as close to 10:00 a.m. PST as possible,' said Jerry Bryant, a program manager with the IE group. Microsoft has updated the security advisory it originally published last week when it acknowledged a zero-day IE vulnerability had been used by hackers to break into the corporate networks of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China."
This discussion has been archived. No new comments can be posted.

Microsoft To Issue Emergency IE Patch

Comments Filter:
  • by Distan (122159) on Thursday January 21, 2010 @09:14AM (#30844814)

    Reat that the attack targeted Perforce repositories. Haven't heard if any other source control systems were targeted.

    Pretty clever way to gather intellectual property; I'd never considered it before, but for many companies if you can download their repository data then you have their crown jewels.

  • Define Emergency (Score:2, Insightful)

    by sipatha (1162265) <vashoko@noSpaM.gmail.com> on Thursday January 21, 2010 @09:15AM (#30844820) Homepage
    Is it still an emergency since its been some time now since the vulnerability was made public? The best patch is to use a different browser
  • by thijsh (910751) on Thursday January 21, 2010 @09:20AM (#30844860) Journal
    It only shows that warnings are never heeded when coming from the insiders and professionals. It takes global companies and several countries to ring the bell for MS to step up and patch exploits faster...
    It's not really news that lots of exploits could (and probably were) abused for espionage (both corporate and international). But only now that 'teh evil chinese' are happily hacking along some action is taken.
    This is exactly the kind of problem that could be avoided by listening to security experts.

    Thanks M$ for giving a crap about the security of users, companies and countries... You're a few years too late stepping up the game, but please keep it up, we might as well have security as an afterthought instead of no security at all.
  • stolen source (Score:4, Insightful)

    by mikem170 (698970) on Thursday January 21, 2010 @09:20AM (#30844862) Homepage
    Microsoft source code is out there somewhere - some was stolen and out on the internet at one point. Isn't some of it also available to certain partners? It wouldn't surprise me if these hacker groups had copies of the source code and a library of exploits to use that nobody else knows about.
  • by Anonymous Coward on Thursday January 21, 2010 @09:58AM (#30845168)

    I wish MS would make a version of IE that ran in the popular Linux distros without emulation, then I could use it and be vulnerable as well.

  • Re:Yikes (Score:5, Insightful)

    by Hurricane78 (562437) <.deleted. .at. .slashdot.org.> on Thursday January 21, 2010 @09:59AM (#30845176)

    Looks like a basic architectural problem. Or else it would nor persist as long, trough so many changes.

    No need to bash MS on top of the usual, because Win7 still has it. Think of a basic core library that just works since back then and does not need changing. You overlooked something, and someone found a way that you did no think about.
    That’s normal, an can happen to anyone.

    It’s usually not the bugs that are the problem. Everything has bugs.
    It’s the way MS handles fixing them. With massive denial, attacking others for mentioning it, and then a very very late, half-assed patch that needs another patch to patch the patch.
    That’s the real problem.

    Would MS just have a normal bugzilla, and in the normal case quickly fix the important bugs, I would have no problem with that. Mozilla does it just like that. And even Mozilla has a couple of long-standing bugs. I guess every big software has them. Because every software has a base architecture that you can only re-build every so many years in the complete rewrite. So bugs that don require that architecture to change can’t simply be fixed.
    Oh, that reminds me, that for IE, that rewrite is long overdue. That’s the reason there are so many big bugs in there. But I don’t see MS doing a complete rewrite, unless they are forced to completely throw away the old Trident engine.

  • by magamiako1 (1026318) on Thursday January 21, 2010 @10:17AM (#30845370)
    From my understanding, every version of IE is vulnerable to the exploit, however not every install of IE is vulnerable. There are claims that "IE8 with DEP on" is vulnerable, but it says nothing about the combination of DEP and UAC.

    http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8?taxonomyId=17&pageNumber=2

    Essentially, if you're using back versions of the operating system and don't keep updated, you're vulnerable. What makes this exploit different from a lot of others is that it has such a large attack surface. However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.
  • Re:stolen source (Score:4, Insightful)

    by rtfa-troll (1340807) on Thursday January 21, 2010 @10:32AM (#30845536)
    Microsoft has given the Chinese government preferential access to the Windows Source code [cnet.com]. They even set up a lab of security researchers to look for vulnerabilities [cnet.com] in the code. I don't think leaks onto the internet have anything to do with it. It's kind of like all the possible disadvantages of OSS with none of the advantages.
  • Re:stolen source (Score:3, Insightful)

    by Erikderzweite (1146485) on Thursday January 21, 2010 @10:44AM (#30845694)

    It merely shows yet another weak point in closed source development model -- if the code is leaked or given to bad guys, they can thoroughly analyze and exploit it while good guys can't do anything about it -- they have no legal means to obtain and analyze the code.
    Open source development model does not, of course, have such issues with source code in the wild. Black hats can look at the code in both cases, but open development model is better because it easily allows white hats to have a good look too.

    Yet another example that security through obscurity won't work, nothing really new here.

  • Re:stolen source (Score:3, Insightful)

    by TheRaven64 (641858) on Thursday January 21, 2010 @12:47PM (#30847402) Journal
    The MoD in the UK has had access to the Windows sourcecode since at least NT4, and so GCHQ probably has people looking at it too. Note, however, that this license does not give them the right to compile their own binaries, so even if they find a bug, they can't fix it. All they can do is use it to attack other people, while remaining vulnerable to it. Makes you wonder why they still use Windows, really.

Only through hard work and perseverance can one truly suffer.

Working...