Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites 157
A reader writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8.
... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"
Somebody in the government... (Score:3)
Just lost their job... The same idiot that insisted in "lets make all our content only available through IE"...
Re: (Score:1)
You clearly have never worked for the government. The bozos decisions will still have their jobs, but underling fall guys who recommended against it but had no choice but to do what they were told will become unemployed.
Re: (Score:2)
I actually work for the government, they just dont listen to the think tanks that tell them, "Nooooooooooooooooooooooo! Dont do that" and they just go ahead and do it anyways.
Re: (Score:2)
I used to work for the government, long enough to know that the most incompetent people are always promoted to management.
The entire top 3 levels of management in a government agency has a lower IQ than a small salad bar.
Re:Somebody in the government... (Score:5, Insightful)
It's often referred to as the Peter Principle [wikipedia.org], and I assure you, the exact same thing happens in private industry all of the time.
It's not unique to governments.
Re: (Score:2)
No.
The Peter Principle is "Employees tend to rise to their level of incompetence." They start out competent and reach the top of their rung, based on merit, so they get promoted. Eventually they get promoted to a job that they have no ability to do and they become incompetent through the promotion process.
The Dilbert principle states that in many cases the least competent, least smart people are promoted, simply because they’re the ones you don't want doing actual work. http://en.wikipedia.org/wiki
Re:Somebody in the government... (Score:4, Insightful)
I want whatever you are smoking. No one will lose their job over this because A) It's a government worker B) MIcrosoft is like IBM in government, no one gets fired for picking it.
Would you Like to Play a Game ? (Score:2, Funny)
How about Global ThermoNuclear War..
Re:Would you Like to Play a Game ? (Score:5, Funny)
Re: (Score:1)
Hold Microsoft Responsible (Score:5, Insightful)
Re:Hold Microsoft Responsible (Score:5, Insightful)
Re: (Score:1)
The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.
It's an interesting theory. How much is enough?
Re:Hold Microsoft Responsible (Score:5, Insightful)
Yeah, that's the problem with a truly free market. Consumers are stupid and inattentive, corporations are clever and evasive.
If every consumer were Ralph Nader I'd be a free market zealot. As that's not the case we have to find a different way to assure corporations behave themselves.
BOO TO NADER (Score:3)
You're completely incorrect about consumer behavior and market regulation, and your example of Nader is a fabulous example.
The Nader-inspired passenger safety craze is directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems. It's also responsible for increased pedestrian and cyclist fatalities (known as early as Pelzman's 1975 study) and may even make drivers less safe.
48 years after his book, despite all the tremendous advances in engi
Re: (Score:2)
The Nader-inspired passenger safety craze is directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems.
Bullshit, and also bullshit.
Big Auto and Big Oil's respective influences on politics in America are directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems. Auto companies sell us gas guzzlers because they can advertise them on the basis of power (we love POWER!) and sell them for a lot more money even though they cost little more money to produce, and our laws permit us to drive these vehicles and fob the externalities off onto everyon
Re: (Score:2)
Again, your example proves my point and not yours. The second-generation (2007-present) Smart Fortwo is a 1800lb vehicle that gets surprisingly bad mileage (31/41) for how tiny and underpowered it is. My (1990?) Chevy Sprint Metro hatchback seated more people (5 vs 2), had way more cargo room, weighed 250lb less, and got better mileage (44/53). The difference is primarily in "safety" engineering geared towards unrealistic crash tests. With today's safety requirements, the closest equivalents to the Sprint n
MPG is low based on more than just safety reqs (Score:2)
You know what else keeps fuel efficiency low? Big engines. Consumers have demanded them instead of efficient vehicles in part because we make driving artificially cheap by subsidizing road construction with more funds than we take in from gas taxes. Consumers are typically horrible at acting rationally in their own self interest and are far more likely to act on emotion and misinformation, although I don't think the government should necessarily take the nanny role in those situations.
Re: (Score:2)
I'm in full agreement with your first three sentences; the US gas tax definitely needs to be substantially increased, as has been said by all the more honest experts, from Steven Chu to Greg Mankiw.
But your last sentence is nuts. People do a reasonably decent job at acting in their own individual self interest. We've distorted their incentives with huge subsidies, and in those circumstances it's especially unsurprising that people choosing what makes sense for them as individuals can lead to overall outcome
Re: Hold Microsoft Responsible (Score:2)
What color is the sky where you live?
Re: (Score:2)
Orange with a hint of Pepsi...
Re:Hold Microsoft Responsible (Score:5, Insightful)
If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible
And if you discover that software bug and issue fixes and notices and your customers fail to implement the fix, is it still your fault?
This one ... OK, this makes me a little twitchy ... isn't Microsoft's fault.
It's 2013. Why are they still running IE8 for anything where security is a concern? Windows 7 has been out for 4 years and IE9 for 2. IE10 is out, and two months should be enough to do a patch deployment, but even if it's borderline, by most accounts IE9/10 are not the horrible bags of garbage that the old versions were.
Who is not doing patch management? Who is allowing XP machines near critical systems? Who chose IE8 over Firefox when that decision was made? Did somebody specify an IE6-only solution prior to that, ignoring standards and best practices, leading to a chain reaction of a mess? Who is not cleaning that up?
Answer those questions and you'll find those responsible for today's vulnerable IT landscape.
And, of course the primary responsibility lies with those coordinating the attacks. But we know those people are out there. If a clerk forgets to close up the store at night and goes home with the front door open, it's not that he is responsible for the burglars' actions, but he's also not doing his job and won't be working there the next day.
</ick>
Re: (Score:2)
IE8 is still supported. Windows 7 is just now something large companies and government are moving too. When you have hundreds of applications to verify or port it takes time.
XP is still supported as well. FireFox only gained GPO support recently and not many folks are even aware that exists.
Re: (Score:2)
The XP support ends in 2014.
Re: (Score:2)
Yes, and right now it is still 2013.
Most companies are going to barely make that cut, many will not.
Re: (Score:2)
You are preaching to the choir. The reality is there no one to certify the apps. Most of these are from customers that require we use their systems and they have to be certified because they are crap.
If facebook failed this often grandma would find a replacement. We can't we are stuck using this crap or we don't get paid.
Re:Hold Microsoft Responsible (Score:5, Interesting)
Exactly this.
Some of us are stuck with legacy systems, built with legacy tools and the original developers are long, long gone. While we try to unwind the horrible spaghetti mess that is our core business software, we have to make due with Win-XP VMs and all sorts of neat tricks to keep the rickety shit from collapsing in on itself.
(Incidently, if any of you reading this worked at Borland/Inprise in the late nineties: hello how ar... FUCK YOU! and fuck your ridiculous fucking desktop database fucking crap. You fucking morons have no fucking clue how to nail a board onto another board, and you should all be lined up and punched in the dick. /rant)
Re:Hold Microsoft Responsible (Score:5, Informative)
Then your legacy system is severed from any public lan. your security goes up by 600% if you remove it from having the ability to do ANYTHING but what it is needed for. No you cant email. No you cant surf. No network access. you can only use a SANATIZED USB drive to copy the files needed off of the unit.
Not hard to keep them hacker proof if the IT and ITS departments know what they are doing.
Re: (Score:2)
Unless the business demands it be on a public lan.
Then what?
Re: (Score:2)
Well, that covers everything.
Re: (Score:2)
Right, that about does it. Report anyone using anything short of the latest version of anything for a violation of being stupid without a license. Problem solved, more along. You will of course not mind us shutting down your life support sir! why you see it's running a version of the firmware we simply cannot tolerate in this, our perfect utopia. Shut the fuck up, armchair warrior.
Re:Hold Microsoft Responsible (Score:4, Insightful)
If it's a municipality? Document it and deliver a nice anonymous tip to the local news how the supervisors there are risking the public with their incompetence.. News LOVES that kind of story.
You have a lot of options, Public humiliation tends to get the fastest results.
Hello, channel 5? Yes, I want to report that the administrators in Washington Township decided to take a computer running Internet Explorer 8, and connect it to the PUBLIC INTERNET! Can you believe the incompe-- Yes, I will hold. Hello?
Re: (Score:2)
Then your legacy system is severed from any public lan.
No they most definately are not. This whole article would never be up there unless that was decidedly NOT the case.
Re: (Score:2)
we have to make due with Win-XP VMs
But do you let those VM's go out and play on the global Internet (or even a non-isolated LAN)? By the clueful tone of your post, I'm guessing not. Yes, legacy systems suck, but they can't last forever so competent management has a plan to replace them, especially if they're rickety, and competent IT has a plan to protect/isolate them.
BTW, *epic* rant.
Re: (Score:2)
Yes, legacy systems suck, but they can't last forever so competent management has a plan to replace them, especially if they're rickety, and competent IT has a plan to protect/isolate them.
Unfortunately for the rest of us, "not forever" is a long, long time - just shy of forever. Legacy systems last however long the business can derive a profit from running them. Including the profit of sacking anyone not absolutely vital/related in the development department, then renaming it to IT (cause that's business'y). On the bright side, the learning experience of it all far outweighs any that could be had in any of the run-of-the-mill dev shop around here.
BTW, *epic* rant.
Thank you. That one has boiled for many, many
Re: (Score:2)
Umm, I believe your *cough* modifier is dangling.
Re: (Score:2)
Why are you acting like a doormat? Learning experience? None/very few of those skills are transferable.
Get a new job! If they truly _need_ the system they will pay you more then you can imagine for a short while. If you choose to stay make sure when they finally fire you (they will) they think 'extortionist'. I'm talking about 7 figures for six months. The number you should be thinking of is the budget for the replacement system. Retirement or business starting money, your call, should you choose to do a
Re: (Score:2)
I'm perfectly capable of negotiating my own salary, that's not the point with this. It really doesn't matter what tools you're working with, what does matter is the things you accomplish. I knew from the start what I went into, but that does not excuse the Borland people from being ranted at. They produced some of the best development tools of their day, but this particular piece of software is an absolute abomination. And it's not because of the number of bugs in it, that's ok, bugs happen. It's the design
Re: (Score:2)
Some of us are stuck with legacy systems, built with legacy tools and the original developers are long, long gone. While we try to unwind the horrible spaghetti mess that is our core business software, we have to make due with Win-XP VMs and all sorts of neat tricks to keep the rickety shit from collapsing in on itself.
While I don't expect you to do anything other than what you're doing, you should realize that not all businesses deserve to survive. Those which make very poor decisions like hitching their wagon to a turd deserve to fail.
Re: (Score:3)
This is one of the first statements I have seen that forwards the idea that application software is possibly responsible for creating problems. Everyone seems to dump on MS and ignore the problems that applications can introduce. The MS blue screen was a symptom of problems in the 3rd party hardware drivers and API's from the start. MS has always tried to allow for a wide range of 3rd party hardware. Apple and MS have pursued opposite buisness models since they first arrived on the seen. Apple opted for con
Re: (Score:3)
If a bug is found 20 years after your software is released then there is still a bug and you should still offer a patch.
Forever, for free? Or are you planning to pay $10K up front for Windows 3.1? Or $99/yr for software maintenance on it?
Re:Hold Microsoft Responsible (Score:5, Insightful)
Re: (Score:2)
You correctly identify why the economics of open source are superior. That doesn't change the fact that most people aren't willing to pay up front for the costs of correct software.
Re: (Score:2)
Re: (Score:2)
Versions end of life. When you find a bug in the new version you always back port it? Where is this masterpiece so we can all see it?
Based on your post I see no signifcant rewrites/major versions. If you don't have any earlier major versions then backporting isn't much of a chore.
Then again if your sole project hasn't evolved enough to require a single major rework you should not pretend to be an authority.
Re: (Score:2)
For example: when Linux changes it's driver model they rip out header files and replace them. This cascades to many other files that reference the driver model. You can't do that and maintain backward compatibility.
Fast forward a few years. You find a bug in the current kernel and fix it. Does it even exist in the obsolete versions? Who has time to check? If someone really needs the old version they can backport all the bug fixes they need out of the change log.
Your biggest project is a school project,
Re: (Score:2)
Re: (Score:2)
If your company adapts a closed software model then you should offer the same level of support as open source, meaning if someone finds a bug the company offers a fix.
I really don't see any reason why software should have to come with a warranty. If the market were willing to pay what that would actually cost to provide, then someone would be providing it by now. The People are apparently willing to pay what it would cost to provide that level of support for some software, as proven by Open Source and Free Software — in the form of time.
Re: (Score:2)
FOSS means no support at all.
That is a lie, and you are a liar.
Re: (Score:3)
If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible.
Only if your company isn't big enough to act with virtual impunity. Who was put in jail when BP murdered twelve people and devastated the gulf coast ecosystem, in order to cut maintenance costs?
Re: (Score:2)
Re: (Score:2)
Well, their EULAs indemnify them from this, and courts have upheld the EULAs.
So, no, they're not really held responsible, and there is a legal framework as to why.
Software companies can do almost anything they want to, or as badly as they can get away with, and for the most part there's not a thing you can do.
Awesome, isn't it?
Re: (Score:2)
Re: (Score:3)
I think it's BS personally, if I build a bridge and it fails I'm held responsible. If I build a electronic system that fails and it hurts someone I'm responsible. If I'm a doctor and hurt someone same deal, if I'm a programmer and someone gets hurt from me code I wipe the chips from my beard, tuck my Hawaiian shirt in and go home.
Well, are you willing to pay for software development costs that include developers carrying insurance the way that doctors and engineering firms do? Are you willing to spend the amount of money it takes to hire competent developers? Are you willing to wait a significant amount of time so that the software design is thoroughly vetted and tested instead of just rammed out the door?
Or do you want your Lower Prices Everyday - Git-er-Dun cheap crap?
Re: (Score:2)
I don't care what happens, I am NOT tucking in my Hawaiian shirt.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Because you agreed to it when you clicked YES on the EULA. The leagal standing of the EULA needs to be abolished.
Re: (Score:2)
I think you can dump all the oil you like and get away with a slap on the wrist. Heck, senators will even apologize to you.
Re: (Score:2)
Only if you have enough oil to dump. Try pouring a quart of crude oil onto your senator's plate when he's eating at a fancy seafood restaurant, and you'll get a far less friendly response than if you dumped over two hundred million gallons on the food supply and livelihood of millions of gulf coast residents.
Re: (Score:2)
Well that is obvious.
You have to be to big too fail/punish/obey the law.
Re: (Score:2)
Only if that bug kills people in and of itself. If it merely allows other people t9o kill people, then no. Same way an auto manufacturer is not held responsable if someone successfully plants a bomb in your trunk to kill you.
Re: (Score:2)
Where are the stand alone machines? (Score:3)
It would could far less than incident analysis and cleanup to provide dedicated machines for external web use. Companies and agencies that tollerate occasional surfing should have machines that do not share the internal network.
Re: (Score:1)
Note: I'm just a fourteen-year-old geek posting to
Re: (Score:2)
I'm not quite a neckbeard but you are four years older than my children.
Once I'm done remodeling my basement it will be a very nice place to post to slashdot from.
Re: (Score:2)
I'm pretty sure he was making a reference to Rep. Mike Rogers' comment on opponents to CISPA.
http://www.google.com/search?q=mike+rogers+cispa+14 [google.com]
Re: (Score:2)
Even better, why not keep the internal machines completely locked down with zero ability to connect to the Internet (and perhaps have the IDS/IPS that monitors that segment set to look for packets that are not that IP range, just to make sure.)
Then have a Citrix server (preferably on a VMWare or other hypervisor for quick snapshot rollbacks) for the Web browsers and anything that connects to the outside world directly?
This isn't rocket science, and I've seen places who used Citrix not just to keep the outsi
Re: (Score:3)
All that stuff costs money.
People will complain the government is wasting their tax dollars if they ever tried to spend money on that.
change.org (Score:2)
We need to make a petition at change.org! Oh, I guess we only do that for Oracle.
Anyone remember the saying? (Score:1, Insightful)
"Nobody ever got fired for picking Microsoft." The time is ripe for that being overturned.
What company ? (Score:2)
a big European company operating in the aerospace, defense, and security industries
Or EADS for short. I mean, "a" ??? Is there any other ?
Re: (Score:2)
Yup there are other ones. Thales also comes to mind....
Re: (Score:2)
Oops, you're right. Wikipedia has a nice list [wikipedia.org].
The given definition for aerospace manufacturer has "and/or spacecraft", while I thought the "and" was mandatory (to differentiate from "aeronautics").
If we go by the "and", this other list [wikipedia.org] leads to a shorter list of EADS, Thales and Safran (if I didn't miss one).
Where's The Java-Like Outrage? (Score:2)
While it seems to have died out a bit (and Oracle certainly showed little concern), there were cries from some people to remove Java from everyone's computer because of the (legitimate) exploits in applets. Am I missing something, or shouldn't the same people be calling on everyone to remove I.E. from their computers, given Microsoft's record with browser exploits?
Re: (Score:3)
I've already removed it in favor of Chrome.
Remove IE? (Score:2)
You do know that IE can not be removed from Windows right? You do know MS was in big trouble with governments over it's bundling of IE and its LIES in court about it being impossible for them to remove?
Well, then you probably don't know about how Bush appointed MS to oversee it's own punishment after losing the court case... and that is why the problem continues unresolved...
Re: (Score:3)
IE can be removed enough from Vista and later that it's engine is not easily used for untrusted content.
Re: (Score:2)
thanks. I clearly haven't touched windows since XP... some relatives PCs had it and I didn't even look to see if I could actually uninstall IE. Next time I'll try it.
Re: (Score:2)
Yea, go to Control Panel->Programs and Features->Turn Windows features on or off.
Re: (Score:3)
I will let you in on a secret. There is only tiny number of wannabe IT experts who are "outraged" while everybody else saves their indignation for shit that really matters. And as far as software bugs go name one program more complicated than "Hello World" that doesn't have bugs. If you want bug free software you might as well get used to a 10 year release cycle becuase that is how long it would take to guarantee bug free software. Of course that puts a real crimp in the advancement of any actual hardware,
Re:Where's The Java-Like Outrage? (Score:4, Informative)
Because the Java exploits applied to the latest, fully patched version – not an old version which has been superseded for more than 2 years.
plain shoddy, and v. others? (Score:2)
I used to see Internet Explorer as the devil, so full of holes it would result in your Windows box needing a reinstall every couple months.
I was aggressively advocating switching from IE around the apex of this [wikipedia.org] curve, and overjoyed as it plummeted.
Are my prior impression about IE being buggy and dangerous still valid? Has IE cleaned up any? I get the impression it has.
And I was pushing folks to use Firefox as the alternative. How does Firefox compare to IE now? I get the impression IE is still a bad cho
Re: (Score:3)
IE9 and later are not affected by this zero day.
How about a nice game of chess? (Score:2)
Re: (Score:2)
Where'd the malicious links come from? (Score:2)
Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy.
So in addition to the 0-day exploit found in IE, what was exploited to put malicious links on the web site?
Re: (Score:2)
I'm wondering too. Reading the /. discussion in the hope of finding the answer, but all I read so far was just the usual MS-bashing and MS-defense blabber.
How can a browser vulnerability compromise a server? Or are the redirects only happening in the browser? Then the summary is misleading.
Stop calling everything a 0-day attack! (Score:5, Insightful)
This was a known patched vulnerability in an old version of IE. It was not a 0-day vulnerability. A 0-day vulnerability is one where there were 0 days to fix it because it was exploited before the software vendor knew about it. Stop using that term for every single headline! (Not blaming Slashdot this time - The title is straight from the arstechnica article)
Re: (Score:2)
Re: (Score:3)
Time travel has its advantages.
Re: (Score:2)
Re: (Score:2)
Re:Wow (Score:4, Funny)
We don't blindly hate Microsoft; we've seen it all too much.
Re: (Score:2)
You know, it really helps a debate when every single point you make is followed by telling the readers they're idiots. It just drives home the fact that a smarter person wouldn't be reading your post.
Re: (Score:2)
Here I was hoping you were the real one. I'd rather have him around again instead of all these stupid APK troll posts.
The best is the time when the two of them managed to troll each other.
Re: (Score:1)
Re: (Score:1)
Here's some documentation on why it's bad.
The Black Book of Communism [harvard.edu]
Re: (Score:2)
Like this ?:
https://blog.mozilla.org/blog/2013/04/03/mozilla-and-samsung-collaborate-on-next-generation-web-browser-engine/ [mozilla.org]
Re: (Score:2)
I've never coded something in Erlang, but I believe Rust tried to copy the idea of message passing from Erlang.
I think message passing allows you to copy the data, which would mean you might not need to deal with cache coherence issues.