Forgot your password?
typodupeerror
Internet Explorer Government Security IT

Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites 157

Posted by timothy
from the now-this-gives-pause dept.
SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8. ... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"
This discussion has been archived. No new comments can be posted.

Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites

Comments Filter:
  • by Kildjean (871084) on Tuesday May 07, 2013 @12:19PM (#43655083) Homepage

    Just lost their job... The same idiot that insisted in "lets make all our content only available through IE"...

    • by Anonymous Coward

      You clearly have never worked for the government. The bozos decisions will still have their jobs, but underling fall guys who recommended against it but had no choice but to do what they were told will become unemployed.

      • by Kildjean (871084)

        I actually work for the government, they just dont listen to the think tanks that tell them, "Nooooooooooooooooooooooo! Dont do that" and they just go ahead and do it anyways.

        • by Lumpy (12016)

          I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

          The entire top 3 levels of management in a government agency has a lower IQ than a small salad bar.

          • by gstoddart (321705) on Tuesday May 07, 2013 @02:29PM (#43656839) Homepage

            I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

            It's often referred to as the Peter Principle [wikipedia.org], and I assure you, the exact same thing happens in private industry all of the time.

            It's not unique to governments.

            • No.

              The Peter Principle is "Employees tend to rise to their level of incompetence." They start out competent and reach the top of their rung, based on merit, so they get promoted. Eventually they get promoted to a job that they have no ability to do and they become incompetent through the promotion process.

              The Dilbert principle states that in many cases the least competent, least smart people are promoted, simply because they’re the ones you don't want doing actual work. http://en.wikipedia.org/wiki

    • by rabbit994 (686936) on Tuesday May 07, 2013 @12:35PM (#43655297)

      I want whatever you are smoking. No one will lose their job over this because A) It's a government worker B) MIcrosoft is like IBM in government, no one gets fired for picking it.

  • by Anonymous Coward

    How about Global ThermoNuclear War..

  • by Murdoch5 (1563847) on Tuesday May 07, 2013 @12:20PM (#43655095)
    If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible. If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible. So shouldn't company's who release buggy software be held responsible for damages and compensation?
    • by Anonymous Coward on Tuesday May 07, 2013 @12:25PM (#43655161)
      No. This was not gross negligence. This was not a bug that would affect anyone under conditions remotely close to normal. This is something that is being actively exploited by someone (the criminal in this case) in a way never intended by the programmers. It'd be like suing the people who made the bullets used in the Sandy Hook massacre. Not only that, they probably agreed when they installed the software not to hold the software company responsible for anything. The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.
      • by Anonymous Coward

        The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.

        It's an interesting theory. How much is enough?

        • by Onymous Coward (97719) on Tuesday May 07, 2013 @01:03PM (#43655689) Homepage

          Yeah, that's the problem with a truly free market. Consumers are stupid and inattentive, corporations are clever and evasive.

          If every consumer were Ralph Nader I'd be a free market zealot. As that's not the case we have to find a different way to assure corporations behave themselves.

          • You're completely incorrect about consumer behavior and market regulation, and your example of Nader is a fabulous example.

            The Nader-inspired passenger safety craze is directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems. It's also responsible for increased pedestrian and cyclist fatalities (known as early as Pelzman's 1975 study) and may even make drivers less safe.

            48 years after his book, despite all the tremendous advances in engi

            • by drinkypoo (153816)

              The Nader-inspired passenger safety craze is directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems.

              Bullshit, and also bullshit.

              Big Auto and Big Oil's respective influences on politics in America are directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems. Auto companies sell us gas guzzlers because they can advertise them on the basis of power (we love POWER!) and sell them for a lot more money even though they cost little more money to produce, and our laws permit us to drive these vehicles and fob the externalities off onto everyon

              • by jensend (71114)

                Again, your example proves my point and not yours. The second-generation (2007-present) Smart Fortwo is a 1800lb vehicle that gets surprisingly bad mileage (31/41) for how tiny and underpowered it is. My (1990?) Chevy Sprint Metro hatchback seated more people (5 vs 2), had way more cargo room, weighed 250lb less, and got better mileage (44/53). The difference is primarily in "safety" engineering geared towards unrealistic crash tests. With today's safety requirements, the closest equivalents to the Sprint n

            • You know what else keeps fuel efficiency low? Big engines. Consumers have demanded them instead of efficient vehicles in part because we make driving artificially cheap by subsidizing road construction with more funds than we take in from gas taxes. Consumers are typically horrible at acting rationally in their own self interest and are far more likely to act on emotion and misinformation, although I don't think the government should necessarily take the nanny role in those situations.

              • by jensend (71114)

                I'm in full agreement with your first three sentences; the US gas tax definitely needs to be substantially increased, as has been said by all the more honest experts, from Steven Chu to Greg Mankiw.

                But your last sentence is nuts. People do a reasonably decent job at acting in their own individual self interest. We've distorted their incentives with huge subsidies, and in those circumstances it's especially unsurprising that people choosing what makes sense for them as individuals can lead to overall outcome

      • What color is the sky where you live?

    • by bill_mcgonigle (4333) * on Tuesday May 07, 2013 @12:40PM (#43655363) Homepage Journal

      If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible

      And if you discover that software bug and issue fixes and notices and your customers fail to implement the fix, is it still your fault?

      This one ... OK, this makes me a little twitchy ... isn't Microsoft's fault.

      It's 2013. Why are they still running IE8 for anything where security is a concern? Windows 7 has been out for 4 years and IE9 for 2. IE10 is out, and two months should be enough to do a patch deployment, but even if it's borderline, by most accounts IE9/10 are not the horrible bags of garbage that the old versions were.

      Who is not doing patch management? Who is allowing XP machines near critical systems? Who chose IE8 over Firefox when that decision was made? Did somebody specify an IE6-only solution prior to that, ignoring standards and best practices, leading to a chain reaction of a mess? Who is not cleaning that up?

      Answer those questions and you'll find those responsible for today's vulnerable IT landscape.

      And, of course the primary responsibility lies with those coordinating the attacks. But we know those people are out there. If a clerk forgets to close up the store at night and goes home with the front door open, it's not that he is responsible for the burglars' actions, but he's also not doing his job and won't be working there the next day.

      </ick>

      • by h4rr4r (612664)

        IE8 is still supported. Windows 7 is just now something large companies and government are moving too. When you have hundreds of applications to verify or port it takes time.

        XP is still supported as well. FireFox only gained GPO support recently and not many folks are even aware that exists.

        • by yuhong (1378501)

          The XP support ends in 2014.

          • by h4rr4r (612664)

            Yes, and right now it is still 2013.
            Most companies are going to barely make that cut, many will not.

    • by femtobyte (710429)

      If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible.

      Only if your company isn't big enough to act with virtual impunity. Who was put in jail when BP murdered twelve people and devastated the gulf coast ecosystem, in order to cut maintenance costs?

    • by gstoddart (321705)

      So shouldn't company's who release buggy software be held responsible for damages and compensation?

      Well, their EULAs indemnify them from this, and courts have upheld the EULAs.

      So, no, they're not really held responsible, and there is a legal framework as to why.

      Software companies can do almost anything they want to, or as badly as they can get away with, and for the most part there's not a thing you can do.

      Awesome, isn't it?

      • by Murdoch5 (1563847)
        I think it's BS personally, if I build a bridge and it fails I'm held responsible. If I build a electronic system that fails and it hurts someone I'm responsible. If I'm a doctor and hurt someone same deal, if I'm a programmer and someone gets hurt from me code I wipe the chips from my beard, tuck my Hawaiian shirt in and go home.
        • I think it's BS personally, if I build a bridge and it fails I'm held responsible. If I build a electronic system that fails and it hurts someone I'm responsible. If I'm a doctor and hurt someone same deal, if I'm a programmer and someone gets hurt from me code I wipe the chips from my beard, tuck my Hawaiian shirt in and go home.

          Well, are you willing to pay for software development costs that include developers carrying insurance the way that doctors and engineering firms do? Are you willing to spend the amount of money it takes to hire competent developers? Are you willing to wait a significant amount of time so that the software design is thoroughly vetted and tested instead of just rammed out the door?

          Or do you want your Lower Prices Everyday - Git-er-Dun cheap crap?

        • by iceaxe (18903)

          I don't care what happens, I am NOT tucking in my Hawaiian shirt.

    • by gmuslera (3436)
      Responsibility takes weird turns when using Microsoft products [nytimes.com].
    • by Lumpy (12016)

      Because you agreed to it when you clicked YES on the EULA. The leagal standing of the EULA needs to be abolished.

    • by h4rr4r (612664)

      I think you can dump all the oil you like and get away with a slap on the wrist. Heck, senators will even apologize to you.

      • by femtobyte (710429)

        Only if you have enough oil to dump. Try pouring a quart of crude oil onto your senator's plate when he's eating at a fancy seafood restaurant, and you'll get a far less friendly response than if you dumped over two hundred million gallons on the food supply and livelihood of millions of gulf coast residents.

    • by sjames (1099)

      Only if that bug kills people in and of itself. If it merely allows other people t9o kill people, then no. Same way an auto manufacturer is not held responsable if someone successfully plants a bomb in your trunk to kill you.

      • by Murdoch5 (1563847)
        That I can agree with, however it would still be nice to see programmers take bugs more seriously, as most don't.
  • by Picass0 (147474) on Tuesday May 07, 2013 @12:25PM (#43655173) Homepage Journal

    It would could far less than incident analysis and cleanup to provide dedicated machines for external web use. Companies and agencies that tollerate occasional surfing should have machines that do not share the internal network.

    • Why should they listen to you? You're just a dumb fourteen-year-old geek, posting on slashdot in you're basement.

      Note: I'm just a fourteen-year-old geek posting to /. in my loft!!
    • by mlts (1038732) *

      Even better, why not keep the internal machines completely locked down with zero ability to connect to the Internet (and perhaps have the IDS/IPS that monitors that segment set to look for packets that are not that IP range, just to make sure.)

      Then have a Citrix server (preferably on a VMWare or other hypervisor for quick snapshot rollbacks) for the Web browsers and anything that connects to the outside world directly?

      This isn't rocket science, and I've seen places who used Citrix not just to keep the outsi

      • by h4rr4r (612664)

        All that stuff costs money.
        People will complain the government is wasting their tax dollars if they ever tried to spend money on that.

  • We need to make a petition at change.org! Oh, I guess we only do that for Oracle.

  • by Anonymous Coward

    "Nobody ever got fired for picking Microsoft." The time is ripe for that being overturned.

  • a big European company operating in the aerospace, defense, and security industries

    Or EADS for short. I mean, "a" ??? Is there any other ?

    • by Melkman (82959)

      Yup there are other ones. Thales also comes to mind....

      • by alexhs (877055)

        Oops, you're right. Wikipedia has a nice list [wikipedia.org].
        The given definition for aerospace manufacturer has "and/or spacecraft", while I thought the "and" was mandatory (to differentiate from "aeronautics").

        If we go by the "and", this other list [wikipedia.org] leads to a shorter list of EADS, Thales and Safran (if I didn't miss one).

  • While it seems to have died out a bit (and Oracle certainly showed little concern), there were cries from some people to remove Java from everyone's computer because of the (legitimate) exploits in applets. Am I missing something, or shouldn't the same people be calling on everyone to remove I.E. from their computers, given Microsoft's record with browser exploits?

    • by satuon (1822492)

      I've already removed it in favor of Chrome.

    • You do know that IE can not be removed from Windows right? You do know MS was in big trouble with governments over it's bundling of IE and its LIES in court about it being impossible for them to remove?

      Well, then you probably don't know about how Bush appointed MS to oversee it's own punishment after losing the court case... and that is why the problem continues unresolved...

      • by yuhong (1378501)

        IE can be removed enough from Vista and later that it's engine is not easily used for untrusted content.

        • thanks. I clearly haven't touched windows since XP... some relatives PCs had it and I didn't even look to see if I could actually uninstall IE. Next time I'll try it.

          • by yuhong (1378501)

            Yea, go to Control Panel->Programs and Features->Turn Windows features on or off.

    • I will let you in on a secret. There is only tiny number of wannabe IT experts who are "outraged" while everybody else saves their indignation for shit that really matters. And as far as software bugs go name one program more complicated than "Hello World" that doesn't have bugs. If you want bug free software you might as well get used to a 10 year release cycle becuase that is how long it would take to guarantee bug free software. Of course that puts a real crimp in the advancement of any actual hardware,

    • by JDG1980 (2438906) on Tuesday May 07, 2013 @04:50PM (#43658241)

      Because the Java exploits applied to the latest, fully patched version – not an old version which has been superseded for more than 2 years.

  • I used to see Internet Explorer as the devil, so full of holes it would result in your Windows box needing a reinstall every couple months.

    I was aggressively advocating switching from IE around the apex of this [wikipedia.org] curve, and overjoyed as it plummeted.

    Are my prior impression about IE being buggy and dangerous still valid? Has IE cleaned up any? I get the impression it has.

    And I was pushing folks to use Firefox as the alternative. How does Firefox compare to IE now? I get the impression IE is still a bad cho

  • No, how about global thermonuclear war. How about Microsoft pushes updates for Internet Explorer to XP?
    • Given the current political climate I'd prefer to try out "Theaterwide Biotoxic and Chemical Warfare"
  • From the article:

    Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy.

    So in addition to the 0-day exploit found in IE, what was exploited to put malicious links on the web site?

    • by rduke15 (721841)

      I'm wondering too. Reading the /. discussion in the hope of finding the answer, but all I read so far was just the usual MS-bashing and MS-defense blabber.

      How can a browser vulnerability compromise a server? Or are the redirects only happening in the browser? Then the summary is misleading.

  • by MobyDisk (75490) on Tuesday May 07, 2013 @02:15PM (#43656659) Homepage

    This was a known patched vulnerability in an old version of IE. It was not a 0-day vulnerability. A 0-day vulnerability is one where there were 0 days to fix it because it was exploited before the software vendor knew about it. Stop using that term for every single headline! (Not blaming Slashdot this time - The title is straight from the arstechnica article)

To do nothing is to be nothing.

Working...