Code Used To Attack Google Now Public 128
itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."
This is shocking! (Score:5, Insightful)
The attack is very reliable on Internet Explorer 6 running on Windows XP ...
That's apparently what happened at Google late last year, when hackers were able to get into the company's internal systems
Google has employees running XP/IE6???
The only way I run IE6 nowadays is in a VM and basically just to test websites we're developing on local/trusted hosts. I wouldn't dare accessing anything with IE6 (especially with reputable sites being hacked and all).
All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.
This is a shocker!
Re:This is shocking! (Score:4, Insightful)
> Google has employees running XP/IE6???
Where is this stated? Read carefully: "and it could possibly be modified to work on more recent versions of the browser, Marcus said."
Re: (Score:2)
and it could possibly be modified to work on more recent versions of the International Space Station / McDonalds Drivethru Menu Backlight / Diebold Voting Machine etc etc ...
Blanket statements like this are at best ignorant, and at worst downright FUD.
An exploit that works on a 9 year old version of the browser (6 years if you consider SV1 was the last major upgrade to IE 6), and two revisions back of the operating system (XP) is hardly newsworthy anymore.
What *is* newsworthy however, is why exactly Google
Re: (Score:2)
And I should know better and close my italics properly. D'oh.
Re: (Score:2)
What *is* newsworthy however, is why exactly Google of all people are still using it ?
To test that their sites work with all browsers, perhaps?
Re: (Score:2)
An exploit that works on a 9 year old version of the browser ... is hardly newsworthy anymore. What *is* newsworthy however, is why exactly Google of all people are still using it ?
Oh, I dunno; I've been doing some testing against IE6 lately. My motive is fairly trivial. I'm developing some Web stuff for an organization (which one doesn't matter here), and I did a bit of a survey to find out what browsers their people are using. IE6 turned up fairly high on the list. I've also sent announcements aroun
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:1, Interesting)
I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux.
Digg and Slashdot won't display correctly in that version of firefox (so much for web standards). There are people out there who can't change for good reasons.
Example? (Score:2)
Can you give us some of those "good reasons"?
Re: (Score:1)
Re:Example? (Score:5, Insightful)
Can you give us some of those "good reasons"?
I can. I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.
The software they used modeled their business and also ran their books (accounting, employee hours, etc.).
They were not a computer shop, and couldn't possibly fathom why they needed to upgrade their machines.
Their sentiment was: we paid $xx,000 for this software, and we can't even begin to imagine life without it. It's quirky and does some things it shouldn't do, but it works good enough.
I'm not saying it was the best solution to stay with what they had, but honestly, it did work and everyone (non-techies) were very proficient at it (they even learned the shortcuts for crying out loud!).
It's hard for us geeks to understand that people can run s*itty software and be "ok" with it. But they have different measures of what's tolerable and what is not, be it ROI, comfort zone or overhead of re-training staff.
And yes, they believed in the software so much that they shaped their business and processes around it. Sad, but it happens, everyday.
Re: (Score:1)
None of that is a reason to run IE6 or Firefox 2. Sounds like the latest versions of IE and Firefox will run just fine on what they have.
Re: (Score:2)
Re: (Score:2)
IE8 requires at least XP. Firefox 3.5 requires at least Windows 2000. So you're completely wrong.
Re: (Score:2)
I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.
Re: (Score:2)
I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux.
Apologies I made the mistake of not reading properly and thought you were responding to this one.
Re: (Score:2)
I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. ...
There are people out there who can't change for good reasons.
Can you give us some of those "good reasons"?
I can. I did some contracting work for a company before...
I'm not the GP/AC, I was chiming in about why some companies have their reasons to not change. It wasn't about which version of OS/browser anymore.
Re: (Score:2)
Seems like they shouldn't care about GIMPs name, or OOo's lack of the dirty corners of Office.
They don't, it's all about the business case. Most graphic designers coming out of school nowadays are accustomed to Adobe's suite of tools (Photoshop/Illustrator, etc.), and to a company dropping $4000-5000 on a Mac+CS4 is nothing compared to the hours of lost productivity that a designer would spend getting up to speed and working around GIMP.
OOo on the other hand and older versions of MS Office stop being attractive when you try to send editable word documents to clients. Once one of your big clients swi
Re: (Score:2)
I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux....There are people out there who can't change for good reasons.
No, there are people out there who drank the coolaid and built systems on alpha software and refuse to change. That's different than cannot change like a leopard can't change its spots, but it can certainly decide to eat the rabbit over the snake.
Re: (Score:2)
So because you found a single company stupid enough to use such terribly obsolete pieces of software, I have to change how I test my product?
This is what is wrong with web development, in a nutshell.
Re:This is shocking! (Score:5, Insightful)
Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser
I'm afraid if I do that I'll be jobless and unable to pay my mortgage.
My company has high-profile clients who run IE6. I've lectured on-and-on about what a terrible browser IE6 is. But at the end of the day, if SVP of Marketing is running IE6 because of their IT department, and they look at the site and it's broken, then guess who they get to blame?
I happen to do freelance work on the side (for extra s*its-and-giggles), and when I do that I run the show and basically say "If you want IE6 support, you have to pay $X,000 extra." and honestly, if the project is not that challenging I will just refuse to take it regardless of how many zeros are in-front of the decimals on the check.
I _hate_ IE6 with a passion (and 7 and somewhat 8 for that matter), but I have to do what I have to do to pay mortgage, keep the lights on and feed the kids.
It's not _that_ self demising. The main reason I get up and go to work everyday is to provide for my family. I may enjoy it and I may not sometimes, but that's not the question, it's what gets the job done for my (our) clients that will pay for the life-style I've chosen to take.
If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?
Re: (Score:3, Informative)
Anyone else smell the BS from this post?
What BS Mr. AC? Name something.
About me refusing freelance work that doesn't live to my standards? Guess what, it's "extra", and if my main job takes care of everything and then some, then I get to be VERY freaking picky about what I do with time I can spend doing what _I_ want.
Or did the $x,000 freak you out? Do you even work? What's your hourly rate?
Bah, I know better than to respond to ACs, but this was just infuriating.
Re: (Score:1, Offtopic)
The way that _you_ type is _extremely_ _annoying_. You don't have to tack on underscores to words or do anything else to them for that matter for people to understand what it is you're saying. Trying to add emphasis to words in your posts like this is completely unnecessary.
_I_ am _very_ sorry if _this_ "annoyed" ||you||. I'll "try" to be more _careful_ next 'time'.
Re: (Score:2)
I was shooting for funny but I guess I annoyed someone else too :P
bad aim? (Score:2)
Re: (Score:2)
Asterisks as well. While I know no manual of style, I think asterisks are used for tone while underscore for emphasis:
*I* am _very_ etc
Re: (Score:2)
/. supports html, though, so you could just use italics.
Re: (Score:3, Funny)
Re: (Score:2)
Not at all.
This is exactly the way I do it too. Except I explicitly tell all clients that "IE6 support will cost you XX hours extra". At $120+ an hour they think twice about IE6
Re: (Score:2)
You're marketing it all wrong. You need to sell the downloading and installing of the Firefox plugin for IE6...
Re: (Score:2)
at this point, I purposely break IE6 by including certain 3rd party libraries that are standards complaint yet don't work in IE6. I have that little notice that this site may not work properly in IE 6, along with a link to Firefox and Safari.
Re: (Score:2, Funny)
If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?
You're doing it wrong.
Maybe he is a she? (Score:2)
Everyone knows girls need longer.
This is a wise course (Score:1)
As long as after work you keep your skills up on modern tech, taking the customer's money to do the stupid thing is a wise course. Advising them, giving the chance, telling them that it's stupid is the moral choice but if not asked there's no shame in doing what you can with what you've got.
Actually there's an opportunity here - but I'm not going to enumerate it because then you'll be competing with me.
Re: (Score:2, Interesting)
This is exactly the reaason having kids, family, lights and such other things is EVIL.
Having them forces people to do evil things just to mantain them.
Re: (Score:2)
I know you're trolling, but there is NOTHING 'evil' about supporting a commonly used browser while also trying to eductate one's customers about alternatives/upgrades. Get a life :)
Re: (Score:1)
Re: (Score:1)
If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?
Everyone seems to be talking as if the problem stops at having IE6 installed. To be exploited, the more stupidity is required. Minimally, the user would have to launch IE6 and visit a malicious web site and probably do a couple of other things as well...
So maybe someone was doing exactly what you say... ;-)
Re: (Score:1)
Okay, I have to admit that I should have read the code for this exploit first, because this one has a visit-only requirement. There's a nice video showing metasploit to do this:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Re: (Score:2)
And don't underestimate how many people will surf on dubious websites, even at work. An anecdote: ;-)
I know a guy who works in IT at a medium-sized German corp. Surfing porn sites at work is forbidden. Yet that guy told me once that he built his porn collection by searching users' hard disks for porn and copying it for himself
Re: (Score:2)
I'm afraid if I do that I'll be jobless and unable to pay my mortgage.
You GOT to be kidding! Do you really believe that?? Are you really that worthless to your boss? Or do you only sell yourself as being worth nothing? Do you say yes and amen to everything? Never learned to say no to your boss?
Well, after just watching the last episodes of “The Middle”, I am truly horrified at what you teach each other to do:
See yourself as less worth than a dog, and cave to every abuse anyone throws at you.
I think you are better than that! After all he hired you!
You know how some
Re: (Score:2)
Ok, so gender-wise it's reversed. I'm a "he" and my boss is a "she" :)
I stood up to bosses before, many times actually. I worked on (lead and developed) a huge custom web-based CMS in a job I had before. My boss was a past programmer and kept nagging me about putting all the sites/clients in one centralized database.
I whole-heatedly disagreed for performance and junior-programmers-writing code-unchecked reasons (which I tried to address separately). And I simply didn't do it. I told him flat out, if you wan
Re: (Score:2)
Then your company needs to advise that you will have to charge more money to support a deprecated and standards non-compliant application.
We do. There's usually a line item called "Browser testing" which specifies which browsers/platforms the site will be thoroughly tested on (a.k.a. almost-pixel-perfect guarantee). Whenever IE6 is on that list, the numbers get inflated.
We never churn anything out but XHTML 1.0 Strict pages with all the best practices for performance and accessibility (e.g. css/js inclusion order, css sprites, graceful degradation, etc.).
IE6 support usually consists of major CSS hacks in a ie6.css that's included only for tha
Re: (Score:2)
Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.
No, because most average computer users will simply not visit the site again.
Re:This is shocking! (Score:5, Insightful)
Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.
Perhaps some sites can get away with dropping IE6 support, but, at least for my employer's main public site, IE6 accounts for 20% of our users. Should they use a better browser? Yeah. Can we get away with kicking sand in the face of 1 in 5 of our users? Hell no.
Re:This is shocking! (Score:4, Insightful)
Twenty percent of PP's users are still with MSIEv6. Looking at this in the context of the 80/20 rule of business brings these questions to mind:
For many businesses this analysis is going to show that the bottom line could be improved by dropping support for MSIEv6. Pruning customers whose support costs more than the revenues they provide is good business sense (selling at a net loss never makes good sense). There are of course niche markets where this isn't true, such as direct sales of adult incontinence supplies. But even those niches are shrinking.
Re: (Score:2)
For example: HP's iLO stuff appears to be very browser type, version and configuration sensitive. We've had some problems using HP iLO with IE8.
Yes it works with IE7, but in our company the class of machines that upgraded to IE7 would be on IE8 by now (or would soon be).
The rest would still be on IE6.
In her defense.. (Score:1)
Re: (Score:2)
I still use and have to support it. MS still also supports it. :(
Re: (Score:2)
And it's a believable explanation that doesn't assume malice or stupidity on their part.
Re: (Score:1, Informative)
Even more shocking to me, after last December's SAP system *upgrade*, our company's customer relation software only works on IE6, IT officially announced that IE7 and later are not supported. We are asked to downgrade out browser to IE6.
We are a big tech company in the US.
Re:This is shocking! (Score:4, Insightful)
Gah. Why does this stupidity keep getting repeated?
IE6 comes installed with Windows XP.. you can't uninstall it. For people who *never* use IE, that's the version we're going to have installed.
The problem here is that Acrobat Reader was embedding IE to display some user controllable elements. So the attack is:
1. Send the target a PDF.
2. They open it in Acrobat Reader.
3. Acrobat Reader loads up IE to display some elements of the PDF.
4. The embedded code triggers and exploit in IE.
5. Arbitrary code execution follows.
And yes, it is a totally lame attack but it works because:
* Way too many people use Acrobat Reader to read PDFs (monoculture)
* IE can't be uninstalled, and no-one updates a browser they don't use.
End of story.
Re:This is shocking! (Score:4, Informative)
For people who *never* use IE, that's the version we're going to have installed.
Wrong. IE7 and IE8 have both been pushed via windows update servers and if you have automatic updates on, you will be running IE8 right about now.
If you work in a company with more than 3 employees (or have competent IT) you will probably be using WSUS or any other patch management software. Your IT department would have been offered to upgrade all the machines to IE8 around mid last year, and IE7 (as a critical update IIRC) even longer before that.
Basically, the only way for you to be running IE6 is if you couldn't be bothered upgrading your machines or if you're doing it on purpose because of a legacy app.
What was shocking to me is that Google would do either one of those.
IE can't be uninstalled, and no-one updates a browser they don't use.
If you're stupid enough to refuse upgrading a major component of your system just because you don't think you're using it, well, then you deserve what you get.
Re: (Score:2)
If you're stupid enough to refuse upgrading a major component of your system just because you don't think you're using it, well, then you deserve what you get.
You weren't addressing to me directly, but *I* wasn't using it, I just found out from the poster's informative post that Adobe Acrobat Reader was using it.
Rather than upgrade something I can't get rid of, I will be uninstalling Acrobat Reader and anything else that uses it.
Re: (Score:2)
You weren't addressing to me directly, but *I* wasn't using it, I just found out from the poster's informative post that Adobe Acrobat Reader was using it.
Rather than upgrade something I can't get rid of, I will be uninstalling Acrobat Reader and anything else that uses it.
And how will you know if another program on your system isn't using it?
It's been established that IE is part of Windows. Whether you use it or not, it's a major component in your chosen OS and it needs to be upgraded with everything else.
So le's rephrase that to anything stupid enough to not use my default browser without my permission deserves to be uninstalled.
I'm still sticking with "people should upgrade all of their OS components". The "stupid" in my last post was a result of being slightly pissed-off at the ignorance of the parent's post.
If Windows' update requests that you upgrade something and mark it as critical, then for
Re: (Score:2)
And yes, it is a totally lame attack but it works because:
* Way too many people use Acrobat Reader to read PDFs (monoculture)
* IE can't be uninstalled, and no-one updates a browser they don't use.
End of story.
wow, I had no idea Adobe was doing that. I will have to get that Firefox PDF reader plugin ad uninstall Acrobat Reader if they are using IE. (I have the included IE version with XP and never upgraded it, like most non-IE users.) Acrobat has its own security problems and I reluctan
Re: (Score:2)
Because IE6 is still a very widely used browser and therefore every large internet company needs it around to test stuff.
Re: (Score:2)
Because turning customers away is in Google's interest is it?
Re: (Score:1)
Here's another option for being forced to use IE6: still running W2K here. Unfortunately, MS decided "IE7 needs >= XP". So, until we replace our hardware, we can't upgrade to IE > 6 (which we would like to do, believe me, IE6 sucks hard). And no, we can't replace IE with another browser. 3rd party software requires IE i
Re: (Score:1)
Remember, Google also employs lawyers, accountants and any number of non-dev staff.
I would bet that most IE testing is done in the VM world, but not every Google employee works in tech - a lot of them probably just want Quickbooks and Exchange/Outlook to work. Maybe that was a hole in the armour and lead to an attack vector.
It's another issue that these people would have access to raw Google data. That's no good. But I doubt there's any significant number of the people one typically thinks of as a Google
Re: (Score:1)
http://news.bbc.co.uk/1/hi/technology/8463516.stm [bbc.co.uk]
German government warns all against using MS Explorer, any version.
Thank god I run IE4! (Score:5, Funny)
So you are the one (Score:2)
So you are the one that has sales demanding we support old browsers.
Right men, we got its location, capture is imminent.
Anyone want to set up a poll what do with him?
It better have a cowboyNeal option.
Re: (Score:2)
Try it... about 3 of the web pages in the world will actually display... Two of them are probably in Ugandan.
"Aurora" IE Exploit Used Against Google in Action (Score:5, Informative)
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ [praetorianprefect.com]
Yawn, another unpatched MS browser exploit.
I hear there are several more for sale...
A Question (Score:2)
I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet, the benefits versus the liabilities seem way out of proportion.
The fact that a bit of code can compromise governments is a strong indicator that no one really knows what they are doing in said government, and also begs the question why isn't Microsoft held liable for
Re: (Score:1)
I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet
It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.
Re:A Question (Score:4, Insightful)
It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.
unless there is no cable connection them to any device that has access to the outside world, USB ports and CD/DVD drives are disabled, you use security on the cables, and you do not run Windows.
If you connect ANYTHING that is not approved then you can be fired and then sued if anything happened because of it.
Re: (Score:2)
Even that's a tricky path to cleanly draw; How can you know that that USB keyfob didn't have something on it that exploited a flaw in the FAT filesystem driver, and leave a clock-triggered piece of malware? Safest bet for a known incident is to wipe and reinstall. There are ways of doing such things automatically. :)
Re:A Question (Score:4, Funny)
Re: (Score:1)
It's not a strong indicator that no one really knows what they are doing per se. First of all there is a big difference between a private network that is cut off from the internet and contains access to a lot of very sensitive data and a public network with employees working with semi-sensitive data.
Beside that it will always be a cat and mouse game and the type of browser (despite IE6 being very bad) with all currently populair browsers in mind wouldn't make that much of a difference because people will al
Re: (Score:2)
Why should Microsoft be held responsible for these issues?
As a principled person I see your point and I agree with it. I would point out though in practice that software companies are treated in-congruently with regard to liability.
Manufacturers of other goods are held accountable when safety equipment fails. IE has all sorts of "safety equipment" these days, pop up blocking phishing filters; the whole trusted untrusted sites thing goes back to IE6 and prior.
Suppose you got in a car accident and the airbag failed to deploy; I suspect you could hav
Re: (Score:2)
This is true, but the key difference is that people aren't mucking about with the latest installation of their airbag, and criminals aren't gaining access to peoples' cars without their knowledge and tampering with the airbag; in other words, if the airbag fails it's very likely the manufacturer's fault, they exercise almost total control over the system in the vast majority of cars.
Contrast this to computer security problems, which are sometimes the fault of the security provider (in this case Microsoft) b
Re: (Score:2)
The sort of people who understand IBM dealing with ww2 Germany and medical clinics for the 'poor'.
Microsoft then went after schools and trained a generation of young dumb mouse clickers.
Sadly they have now grown up and infected most of the US network from point of sale to your power systems.
Some parts of your government do not trust MS, but then they do not trust you.
The benefits are an ave
Shrug, okay, lets make it secure. (Score:2)
Making a country secure is easy.
Everyone mandatory implanted ID that can't be removed or altered without dying, say a chip implanted in the brain that extends barbs.
Tracking posts everywhere. All travel recorded and logged.
1 computer system, can only be activated with ID. No 3rd party software let alone your own stuff, every access is recorded and logged for 10 years minimum.
Should I go on? It is easy to implement and will eliminate all security problems. Feel free to take these ideas for when you run f
So... (Score:4, Funny)
Internet Explorer 6 is older than the Euro (Score:1, Interesting)
Next time somebody tells you that their organisation can't switch from Internet Explorer 6 because of legacy intranet applications, point out that virtually all of Europe switched from their own centuries-old currency to the Euro in less time than it's taking to get rid of Internet Explorer 6.
Re: (Score:3, Insightful)
Stupid (Score:2)
Re: (Score:3, Interesting)
Video of the Exploit in Action (Score:5, Informative)
IE6 (Score:1)
Re:IE6 (Score:4, Insightful)
While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.
Really? What do you base that on?
- First, there have already been a ton of exploits for IE7 and IE8 - and even some patches.
- Second, Microsoft never seemed to say that IE7 or IE8 were not vulnerable. They very carefully said this instead:
"At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.
That states there are other affected versions... but Microsoft hasn't seen attacks against them. I could care less what Microsoft has seen... they also "saw" XP and IE6 as secure (pre Service Pack 1).
It also means the other affected browsers are... IE4? IE5? IE7? IE8? I wonder which ones of those are the ones they are talking about? I could almost bet you that it's not a pre-IE6 browser that they are talking about.
Sorta like irony. Sorta. (Score:2)
Anyone else find it amusing that Google has its very own web browser [google.com] yet IE6 is apparently still widely deployed on their desktops?
Re: (Score:2)
Given the fact that the use of a web-browser is the main source of income for Google combined with the fact that IE6 still has a 10% market-share..
I'd be willing to bet that a shitload of people working at google simply need IE6 in one form or another to get their job done.
Re: (Score:1, Informative)
Re: (Score:2)
Your statement:
Leads me to think that your Deity card needs to be revoked or significantly downgraded. If that is one of the 'mysteries of the Universe", how the hell are you going to deal with something complex like calculus? I really don't think you ought to be running things, sir. Would you step this way please?
Google just wanted to pick a fight with China (Score:2)
I can not believe that Google, with all of its vast resources and years online, that a few email accounts getting hacked all of sudden set them off to pull out of China. They are pretending to the press as if this is something special or new on the internet that China is doing, or that these couple of "attacks" from China are too much. Google has got to be just hammered by Chinese attackers, and they make it sound like no other gmail account has ever been hacked. I bet they get thousands of illegally hacked
Re:Google just wanted to pick a fight with China (Score:4, Insightful)
Re: (Score:2)
It doesn't matter which browser. (Score:3, Insightful)
It doesn't matter which browser you're using ...
If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.
Until users change their behavior and start using least-privilege accounts while surfing the web, it's wrong to blame the browser.
Microsoft even says it in their security advisory kb 979352: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
And this applies to any OS: Linux, Windows, Mac OS, etc.
Rootkit - contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior admin access to execute and tamper with system files and processes.
Re: (Score:3, Interesting)
It doesn't matter which browser you're using ...
If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.
I don't disagree with it being better not running as admin, but a lot of malware will live quite happily in your userspace. And if a user privileged account is compromised there are privilege escalation exploits to get admin level, for fx rootkit if that is what they are after. MS is on to something with the IE8 protected mode sandbox in Vista/W7, running with lover privileges than even normal user. But it's just one part of this puzzle.
"the attack is very reliable on IE 6" (Score:2)
YES. Finally.
Kill IE6. Kill it with fire.
I really hope they posted it... (Score:3, Funny)
Fear, the Patch Tuesday of the Mind (Score:1)
Microsoft - By Idiots for Idiots (Score:1)