Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Code Used To Attack Google Now Public

timothy posted more than 4 years ago | from the clever-scoundrels-still-scoundrels dept.

Internet Explorer 128

itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."

cancel ×

128 comments

Sorry! There are no comments related to the filter you selected.

This is shocking! (4, Insightful)

eihab (823648) | more than 4 years ago | (#30787502)

The attack is very reliable on Internet Explorer 6 running on Windows XP ...
That's apparently what happened at Google late last year, when hackers were able to get into the company's internal systems

Google has employees running XP/IE6???

The only way I run IE6 nowadays is in a VM and basically just to test websites we're developing on local/trusted hosts. I wouldn't dare accessing anything with IE6 (especially with reputable sites being hacked and all).

All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

This is a shocker!

Re:This is shocking! (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30787528)

> Google has employees running XP/IE6???
Where is this stated? Read carefully: "and it could possibly be modified to work on more recent versions of the browser, Marcus said."

Re:This is shocking! (0)

Anonymous Coward | more than 4 years ago | (#30790506)

That statement doesn't really mean anything.

Re:This is shocking! (2, Insightful)

bfree (113420) | more than 4 years ago | (#30787552)

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

Re:This is shocking! (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30787572)

I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux.

Digg and Slashdot won't display correctly in that version of firefox (so much for web standards). There are people out there who can't change for good reasons.

Example? (1)

XanC (644172) | more than 4 years ago | (#30787912)

Can you give us some of those "good reasons"?

Re:Example? (1)

Architect_sasyr (938685) | more than 4 years ago | (#30788142)

Nobody attacks Firefox 2.x anymore, so it must be secure!!!1!!

Re:Example? (5, Insightful)

eihab (823648) | more than 4 years ago | (#30788262)

Can you give us some of those "good reasons"?

I can. I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

The software they used modeled their business and also ran their books (accounting, employee hours, etc.).

They were not a computer shop, and couldn't possibly fathom why they needed to upgrade their machines.

Their sentiment was: we paid $xx,000 for this software, and we can't even begin to imagine life without it. It's quirky and does some things it shouldn't do, but it works good enough.

I'm not saying it was the best solution to stay with what they had, but honestly, it did work and everyone (non-techies) were very proficient at it (they even learned the shortcuts for crying out loud!).

It's hard for us geeks to understand that people can run s*itty software and be "ok" with it. But they have different measures of what's tolerable and what is not, be it ROI, comfort zone or overhead of re-training staff.

And yes, they believed in the software so much that they shaped their business and processes around it. Sad, but it happens, everyday.

Re:Example? (0)

XanC (644172) | more than 4 years ago | (#30788322)

None of that is a reason to run IE6 or Firefox 2. Sounds like the latest versions of IE and Firefox will run just fine on what they have.

Re:Example? (0)

Anonymous Coward | more than 4 years ago | (#30788996)

"I was at a business this morning that still runs Windows 98"

None of the latest versions of all major browsers work on this OS. Read things sometimes, instead of skimming...

Re:Example? (1)

erlando (88533) | more than 4 years ago | (#30789224)

The largest bank in Denmark has all its employees running IE6 on Windows XP. The reason? It will cost $XX million to modernize all the legacy mission critical only-running-on-IE6 software.

Re:Example? (1)

cyber-vandal (148830) | more than 4 years ago | (#30789382)

IE8 requires at least XP. Firefox 3.5 requires at least Windows 2000. So you're completely wrong.

Re:Example? (1)

XanC (644172) | more than 4 years ago | (#30791612)

I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

Re:Example? (0)

Anonymous Coward | more than 4 years ago | (#30791244)

What this company needs to do is:

Set up a caching proxy for outside internet access.

Block direct port 80 access to everything except the offending IE only application

Load Firefox or other browser other than IE configured to use the proxy

This can also be done by using a non.standard TLD for the IE only site, and restricting IE to that non-standard domain with a proxy.pac file. Thus a proxy is optional.

Have 2 icons on desktop, one pointing to Firefox and labeled "internet"

A second Icon labeled whatever the name of the $xx,000 app, and pointed directly at the ap.

When I worked for state government, we had a few aps like this. I pointed the IE browser via a command line URL to a special webpage that contained links to all such aps. The regular Firefox browser pointed to the main page of the same webpage containing links to all the other business related sites on the Internet at large.

This takes away 99.999% of the risk, as the only way the IE browser can get infected by web page access is if your $xx,000 app were to get infected. This is because they never surf the internet with the insecure browser.

Re:This is shocking! (1)

Gr8Apes (679165) | more than 4 years ago | (#30787916)

I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux....There are people out there who can't change for good reasons.

No, there are people out there who drank the coolaid and built systems on alpha software and refuse to change. That's different than cannot change like a leopard can't change its spots, but it can certainly decide to eat the rabbit over the snake.

Re:This is shocking! (1)

Sir_Lewk (967686) | more than 4 years ago | (#30791326)

So because you found a single company stupid enough to use such terribly obsolete pieces of software, I have to change how I test my product?

This is what is wrong with web development, in a nutshell.

Re:This is shocking! (5, Insightful)

eihab (823648) | more than 4 years ago | (#30787598)

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser

I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

My company has high-profile clients who run IE6. I've lectured on-and-on about what a terrible browser IE6 is. But at the end of the day, if SVP of Marketing is running IE6 because of their IT department, and they look at the site and it's broken, then guess who they get to blame?

I happen to do freelance work on the side (for extra s*its-and-giggles), and when I do that I run the show and basically say "If you want IE6 support, you have to pay $X,000 extra." and honestly, if the project is not that challenging I will just refuse to take it regardless of how many zeros are in-front of the decimals on the check.

I _hate_ IE6 with a passion (and 7 and somewhat 8 for that matter), but I have to do what I have to do to pay mortgage, keep the lights on and feed the kids.

It's not _that_ self demising. The main reason I get up and go to work everyday is to provide for my family. I may enjoy it and I may not sometimes, but that's not the question, it's what gets the job done for my (our) clients that will pay for the life-style I've chosen to take.

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

Re:This is shocking! (0, Troll)

Anonymous Coward | more than 4 years ago | (#30787618)

Anyone else smell the BS from this post?

Re:This is shocking! (2, Informative)

eihab (823648) | more than 4 years ago | (#30787666)

Anyone else smell the BS from this post?

What BS Mr. AC? Name something.

About me refusing freelance work that doesn't live to my standards? Guess what, it's "extra", and if my main job takes care of everything and then some, then I get to be VERY freaking picky about what I do with time I can spend doing what _I_ want.

Or did the $x,000 freak you out? Do you even work? What's your hourly rate?

Bah, I know better than to respond to ACs, but this was just infuriating.

Re:This is shocking! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30787966)

The way that _you_ type is _extremely_ _annoying_. You don't have to tack on underscores to words or do anything else to them for that matter for people to understand what it is you're saying. Trying to add emphasis to words in your posts like this is completely unnecessary.

Re:This is shocking! (1, Offtopic)

eihab (823648) | more than 4 years ago | (#30788144)

The way that _you_ type is _extremely_ _annoying_. You don't have to tack on underscores to words or do anything else to them for that matter for people to understand what it is you're saying. Trying to add emphasis to words in your posts like this is completely unnecessary.

_I_ am _very_ sorry if _this_ "annoyed" ||you||. I'll "try" to be more _careful_ next 'time'.

Re:This is shocking! (1)

eihab (823648) | more than 4 years ago | (#30788266)

I was shooting for funny but I guess I annoyed someone else too :P

Re:This is shocking! (0)

Anonymous Coward | more than 4 years ago | (#30788492)

Eihab... different AC here. Sure you arent William Shatner?

bad aim? (1)

CaptainNerdCave (982411) | more than 4 years ago | (#30789132)

every time i shoot at funny, all i hear is whoosh

Re:This is shocking! (1)

Antiocheian (859870) | more than 4 years ago | (#30789902)

Asterisks as well. While I know no manual of style, I think asterisks are used for tone while underscore for emphasis:

*I* am _very_ etc

Re:This is shocking! (1)

Geoffrey.landis (926948) | more than 4 years ago | (#30790554)

Well, asterisks are used for italics while underscore characters are used for underscored font. So if you use underscore for emphasis, you'd be right. I think of italics as emphasis, myself,

/. supports html, though, so you could just use italics.

Re:This is shocking! (0)

Anonymous Coward | more than 4 years ago | (#30790660)

He is probably used to the command line. I prefer to write I_Love_Food rather than I/ love/ Food

Re:This is shocking! (0)

Anonymous Coward | more than 4 years ago | (#30789962)

You misunderstood. _I_ is a pictogram of his flat ass from all the freelance work he does for hex zero dollars.

Re:This is shocking! (3, Funny)

Anci3nt of Days (1615945) | more than 4 years ago | (#30787672)

yeah - who eats pizza???

Re:This is shocking! (1)

erlando (88533) | more than 4 years ago | (#30789262)

Not at all.

This is exactly the way I do it too. Except I explicitly tell all clients that "IE6 support will cost you XX hours extra". At $120+ an hour they think twice about IE6

Re:This is shocking! (1)

jo42 (227475) | more than 4 years ago | (#30787834)

You're marketing it all wrong. You need to sell the downloading and installing of the Firefox plugin for IE6...

Re:This is shocking! (1)

Gr8Apes (679165) | more than 4 years ago | (#30787944)

at this point, I purposely break IE6 by including certain 3rd party libraries that are standards complaint yet don't work in IE6. I have that little notice that this site may not work properly in IE 6, along with a link to Firefox and Safari.

Re:This is shocking! (2, Funny)

Anonymous Coward | more than 4 years ago | (#30788060)

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

You're doing it wrong.

Maybe he is a she? (1)

SmallFurryCreature (593017) | more than 4 years ago | (#30789974)

Everyone knows girls need longer.

This is a wise course (1)

symbolset (646467) | more than 4 years ago | (#30788534)

As long as after work you keep your skills up on modern tech, taking the customer's money to do the stupid thing is a wise course. Advising them, giving the chance, telling them that it's stupid is the moral choice but if not asked there's no shame in doing what you can with what you've got.

Actually there's an opportunity here - but I'm not going to enumerate it because then you'll be competing with me.

Re:This is shocking! (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30788704)

This is exactly the reaason having kids, family, lights and such other things is EVIL.
Having them forces people to do evil things just to mantain them.

Re:This is shocking! (1)

dreamchaser (49529) | more than 4 years ago | (#30789648)

I know you're trolling, but there is NOTHING 'evil' about supporting a commonly used browser while also trying to eductate one's customers about alternatives/upgrades. Get a life :)

Re:This is shocking! (1)

Xaduurv (1685700) | more than 4 years ago | (#30789430)

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

You have no imagination.

Re:This is shocking! (1)

ckclark (311376) | more than 4 years ago | (#30791094)

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

Everyone seems to be talking as if the problem stops at having IE6 installed. To be exploited, the more stupidity is required. Minimally, the user would have to launch IE6 and visit a malicious web site and probably do a couple of other things as well...

So maybe someone was doing exactly what you say... ;-)

Re:This is shocking! (1)

ckclark (311376) | more than 4 years ago | (#30791316)

Okay, I have to admit that I should have read the code for this exploit first, because this one has a visit-only requirement. There's a nice video showing metasploit to do this:

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Re:This is shocking! (1)

RobertM1968 (951074) | more than 4 years ago | (#30788118)

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

No, because most average computer users will simply not visit the site again.

Re:This is shocking! (4, Insightful)

tixxit (1107127) | more than 4 years ago | (#30788192)

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

Perhaps some sites can get away with dropping IE6 support, but, at least for my employer's main public site, IE6 accounts for 20% of our users. Should they use a better browser? Yeah. Can we get away with kicking sand in the face of 1 in 5 of our users? Hell no.

Odd, innit. (0)

Anonymous Coward | more than 4 years ago | (#30791416)

Odd, innit. When it comes to 10% Linux and 10% Mac making 20% of a market, they can be ignored.

But when it comes to 20% using IE6, it can't.

How's that happen?

Re:This is shocking! (1)

TheLink (130905) | more than 4 years ago | (#30788252)

There's probably plenty of stuff that still requires IE6 to work.

For example: HP's iLO stuff appears to be very browser type, version and configuration sensitive. We've had some problems using HP iLO with IE8.

Yes it works with IE7, but in our company the class of machines that upgraded to IE7 would be on IE8 by now (or would soon be).

The rest would still be on IE6.

In her defense.. (1)

symbolset (646467) | more than 4 years ago | (#30787556)

That admin has a hot rack.

Re:This is shocking! (1)

antdude (79039) | more than 4 years ago | (#30787952)

I still use and have to support it. MS still also supports it. :(

Re:This is shocking! (1)

Kingrames (858416) | more than 4 years ago | (#30788164)

Well, it's not entirely unbelievable to think that there might be a computer somewhere in Google HQ that hasn't used IE in 4-5 years, and if someone went to a website that said it required IE, and you just clicked the blue button and typed in the address, yes, something like this could happen.

And it's a believable explanation that doesn't assume malice or stupidity on their part.

Re:This is shocking! (1, Informative)

Anonymous Coward | more than 4 years ago | (#30788384)

Even more shocking to me, after last December's SAP system *upgrade*, our company's customer relation software only works on IE6, IT officially announced that IE7 and later are not supported. We are asked to downgrade out browser to IE6.

We are a big tech company in the US.

Re:This is shocking! (0)

Anonymous Coward | more than 4 years ago | (#30788998)

I only run it on Wine. And I still don't feel safe :\

Re:This is shocking! (3, Insightful)

QuantumG (50515) | more than 4 years ago | (#30789090)

Gah. Why does this stupidity keep getting repeated?

IE6 comes installed with Windows XP.. you can't uninstall it. For people who *never* use IE, that's the version we're going to have installed.

The problem here is that Acrobat Reader was embedding IE to display some user controllable elements. So the attack is:

1. Send the target a PDF.
2. They open it in Acrobat Reader.
3. Acrobat Reader loads up IE to display some elements of the PDF.
4. The embedded code triggers and exploit in IE.
5. Arbitrary code execution follows.

And yes, it is a totally lame attack but it works because:

* Way too many people use Acrobat Reader to read PDFs (monoculture)
* IE can't be uninstalled, and no-one updates a browser they don't use.

End of story.

Re:This is shocking! (1)

cyber-vandal (148830) | more than 4 years ago | (#30789400)

Because IE6 is still a very widely used browser and therefore every large internet company needs it around to test stuff.

Re:This is shocking! (1)

V for Vendetta (1204898) | more than 4 years ago | (#30789438)

All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

Here's another option for being forced to use IE6: still running W2K here. Unfortunately, MS decided "IE7 needs >= XP". So, until we replace our hardware, we can't upgrade to IE > 6 (which we would like to do, believe me, IE6 sucks hard). And no, we can't replace IE with another browser. 3rd party software requires IE in order to work.

You might ask "Why you're still on W2K?". Well, because at that time, XP offered nothing over W2K for us which would justify the amount of money and time needed to upgrade.

Re:This is shocking! (0)

Anonymous Coward | more than 4 years ago | (#30789538)

IE7 and IE8 are also affected according to MS:
http://arstechnica.com/microsoft/news/2010/01/microsoft-warns-of-ie-security-flaw-used-in-google-attacks.ars

Re:This is shocking! (1)

lieden (897813) | more than 4 years ago | (#30790620)


Remember, Google also employs lawyers, accountants and any number of non-dev staff.
I would bet that most IE testing is done in the VM world, but not every Google employee works in tech - a lot of them probably just want Quickbooks and Exchange/Outlook to work. Maybe that was a hole in the armour and lead to an attack vector.

It's another issue that these people would have access to raw Google data. That's no good. But I doubt there's any significant number of the people one typically thinks of as a Google employee that uses IE.

Don't they mostly run linux on desktop(using VM for testing)? (not positive about that one)

Re:This is shocking! (0)

Anonymous Coward | more than 4 years ago | (#30791318)

All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

Ha. My company's bank website for business clients is a POS written with a crappy java app called TruePass from Entrust [entrust.com] .

It is piece of crap that requires IE6 or IE5.5, and won't work with web proxies.

The bank is Scotiabank, the 3rd largest bank in Canada (and bigger than Citibank & US Bancorp). This is only the case for their business clients - they are forced to use the "Scotiaconnect" [scotiabank.com] service. They even have a helpful browser detection webpage [scotiabank.com] telling you how crappy their website is and requires ancient versions of IE.

Scotiabank's individual clients have a normal html-based website.

Thank god I run IE4! (5, Funny)

Peter Steil (1619597) | more than 4 years ago | (#30787518)

Seems like running IE4 on windows 95 has paid off....finally! Now if only active desktop worked properly...

MOD PARENT INSIGHTFUL (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30787616)

Seriously guys, who cares about standards compliance when this type of security issue exists, for all modern browsers? Does anyone actually look to exploit IE4 anymore? I doubt it. For security without having to install annoying updates....just run IE4.

Re:MOD PARENT INSIGHTFUL (0)

Anonymous Coward | more than 4 years ago | (#30787884)

or 5.5, because it is easier to find in a downloadable form

Re:MOD PARENT INSIGHTFUL (1)

CAIMLAS (41445) | more than 4 years ago | (#30787982)

Try it... about 3 of the web pages in the world will actually display... Two of them are probably in Ugandan.

So you are the one (1)

SmallFurryCreature (593017) | more than 4 years ago | (#30789986)

So you are the one that has sales demanding we support old browsers.

Right men, we got its location, capture is imminent.

Anyone want to set up a poll what do with him?

It better have a cowboyNeal option.

"Aurora" IE Exploit Used Against Google in Action (4, Informative)

Proudrooster (580120) | more than 4 years ago | (#30787558)

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ [praetorianprefect.com]

Yawn, another unpatched MS browser exploit.

I hear there are several more for sale...

Re: "Aurora" IE Exploit Used Against Google in Act (0)

Anonymous Coward | more than 4 years ago | (#30790816)

Yawn, another unpatched MS browser exploit.

For two-versions-ago of a browser on two-versions-ago of the operating system (that MS has tried to end-of-life repeatedly). In other news, Roman centurions' helmets have been found to provide woefully inadequate protection from rocket-propelled grenades...

A Question (1)

koan (80826) | more than 4 years ago | (#30787586)

I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet, the benefits versus the liabilities seem way out of proportion.
The fact that a bit of code can compromise governments is a strong indicator that no one really knows what they are doing in said government, and also begs the question why isn't Microsoft held liable for these issues? Why do we even use Windows for Government systems?
Hackers are cutting edge people, the government seems to be dwelling in 1990's tatics and security.

Re:A Question (1)

Anonymous Coward | more than 4 years ago | (#30787720)

I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet

It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.

Re:A Question (3, Insightful)

tagno25 (1518033) | more than 4 years ago | (#30787930)

It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.

unless there is no cable connection them to any device that has access to the outside world, USB ports and CD/DVD drives are disabled, you use security on the cables, and you do not run Windows.
If you connect ANYTHING that is not approved then you can be fired and then sued if anything happened because of it.

Re:A Question (3, Funny)

DeadPixels (1391907) | more than 4 years ago | (#30787764)

Have you seen any of the new IBM commercials? We have to "build a smarter electrical grid", and if that means connecting our generators to 4chan, then so be it!

Re:A Question (1)

Ziekheid (1427027) | more than 4 years ago | (#30787770)

It's not a strong indicator that no one really knows what they are doing per se. First of all there is a big difference between a private network that is cut off from the internet and contains access to a lot of very sensitive data and a public network with employees working with semi-sensitive data.
Beside that it will always be a cat and mouse game and the type of browser (despite IE6 being very bad) with all currently populair browsers in mind wouldn't make that much of a difference because people will always focus on popular targets and Firefox is no exception.
Why should Microsoft be held responsible for these issues?
It's your own choice to pick a browser and no browser on the market can guarantee to be 100% safe, it rather begs the question why people haven't upgraded from IE6 to IE8 yet.
I'm also pretty sure companies like Microsoft have made sure they are protected from liability suits when it comes to products like these.

Re:A Question (1)

DarkOx (621550) | more than 4 years ago | (#30790082)

Why should Microsoft be held responsible for these issues?

As a principled person I see your point and I agree with it. I would point out though in practice that software companies are treated in-congruently with regard to liability.
 
Manufacturers of other goods are held accountable when safety equipment fails. IE has all sorts of "safety equipment" these days, pop up blocking phishing filters; the whole trusted untrusted sites thing goes back to IE6 and prior.
 
Suppose you got in a car accident and the airbag failed to deploy; I suspect you could have a very successful law suit against the automaker.

Re:A Question (1)

Grygus (1143095) | more than 4 years ago | (#30790646)

This is true, but the key difference is that people aren't mucking about with the latest installation of their airbag, and criminals aren't gaining access to peoples' cars without their knowledge and tampering with the airbag; in other words, if the airbag fails it's very likely the manufacturer's fault, they exercise almost total control over the system in the vast majority of cars.

Contrast this to computer security problems, which are sometimes the fault of the security provider (in this case Microsoft) but just as often (if not more often) is the result of user interference (people misunderstanding how the security system works or disabling security altogether) and malicious intent.

The real culprit isn't Microsoft, but the people who write malware; for some reason we don't spend much time blaming the criminal and we heap all our discontent on Microsoft. Maybe because they're the easy target here. At any rate, hopefully this shows why a lawsuit against Microsoft is illogical; they do not have sufficient control over the situation to prosecute them.

Re:A Question (1)

AHuxley (892839) | more than 4 years ago | (#30788618)

IBM had monopoly issues, so they spun off their desktop to Microsoft via a trusted known, wealthy family name, Gates.
The sort of people who understand IBM dealing with ww2 Germany and medical clinics for the 'poor'.
Microsoft then went after schools and trained a generation of young dumb mouse clickers.
Sadly they have now grown up and infected most of the US network from point of sale to your power systems.
Some parts of your government do not trust MS, but then they do not trust you.
The benefits are an average American can point and click. Short term profit versus the cost of Unix ect help too.
As for liabilities? At first MS was not networked, a dos box printing or counting, or networked to a real OS.
Later everybody had a go at this cheap MS code thing and networked.
What the US saved in rapid cheap roll out they are now going to have to watch crumble or be taken over.
Dont worry MS has cloud computing and mobile grade back ups and real security now, Bill ect, said so.
On the flip side, MS selling is great for the US gov. As China shows, if google can be hacked via MS, what has the CIA, NSA, FBI ect been doing with its world wide 'telco' networks, 24/7 for many years?
As for your electrical grid, they respond to their shareholder needs, not you the consumer and MS was fine.
If it breaks, you will pay per year to upgrade.
If your lights are out and your CC number is misused, hire a lawyer.

Shrug, okay, lets make it secure. (1)

SmallFurryCreature (593017) | more than 4 years ago | (#30790016)

Making a country secure is easy.

Everyone mandatory implanted ID that can't be removed or altered without dying, say a chip implanted in the brain that extends barbs.

Tracking posts everywhere. All travel recorded and logged.

1 computer system, can only be activated with ID. No 3rd party software let alone your own stuff, every access is recorded and logged for 10 years minimum.

Should I go on? It is easy to implement and will eliminate all security problems. Feel free to take these ideas for when you run for election.

Security is easy, freedom and security ain't. To be honest, I prefer my government to be a bit slow and inefficient. The alternative is far more scarier.

People are so upset about that illegal immigrant who got shot on the tube when he tried to run. I would be far more worried if that guy had NEVER been able to make it into the country or if they had shot the right guy with a sniper efficiently. The whole mess shows there is still freedom. Freedom to get shot for sure, but also the freedom for journalists to still find leaks.

Re:Shrug, okay, lets make it secure. (0)

Anonymous Coward | more than 4 years ago | (#30790922)

You avoided the real question and got on a soap box with your "agenda", the question is "Why put critical systems online and make them accessible thru the Internet?"

Re:A Question - AN ANSWER (w/ proofs) (0)

Anonymous Coward | more than 4 years ago | (#30790058)

"Microsoft held liable for these issues? Why do we even use Windows for Government systems?" - by koan (80826) on Friday January 15, @11:07PM (#30787586)

I feel that MS ought to ship a system TOTALLY "closed off", personally (or, @ least, security hardened, per the guidelines I set below)

I do show guidelines for security that DO actually work no less there!

Simply due to the usage of "layered security", conscientious patching, & knowing when and when NOT to use things like JAVASCRIPT + FAR MORE!

(E.G.-> AND, even a "return to antiquities teachings" (per Ozymandias of "The Watchmen" in that quote) by using things like HOSTS files for example, which is 1970's thinking (but, it works like no tomorrow for BOTH added speed, but more importantly, for ADDED LAYERED SECURITY, especially nowadays...)).

Then, when the END-USER elects to "turn those features" on again (or rather, the protection vs. them, off)? He/She, as said end-user, assumes the responsibility for what happens... NOT MS!

(MS ships these OS' nowhere NEAR where they can be 'security-hardened' to, & probably so "everything just works" + so it's easier to "mass deploy" quickly, imo @ least, as to the "WHY" of why MS' OS are so damned 'wide open' outta the box/oem stock!)

----

"Hackers are cutting edge people, the government seems to be dwelling in 1990's tatics and security" - by koan (80826) on Friday January 15, @11:07PM (#30787586)

Ah, ACTUALLY in my experience (more than a year professionally dealing with their junk, disassembling & tracing it, & removing it etc. et al as part of my job duties when level 1 folks failed vs. them)?

They're MOSTLY "script kiddies" actually...

I.E.-> Using & REUSING the stuff the TRULY "cutting edge" people's (hacker/cracker) designs & work + tactics, over & over again, prefab style. Sometimes with only SLIGHT variations...

HOWEVER, for security THAT ACTUALLY WORKS (with a testimonial I'll supply, just one of MANY like it, from those that applied my guide's techniques/methods/suggestions)?

YOU DO THIS:

====

HOW TO SECURE Windows 2000/XP/Server 2003/VISTA/Server 2008/Windows 7, & make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=fc2d534ea11b15071b6ffc04ad948f00&showtopic=2662 [tcmagazine.com]

====

A testimonial to its effectiveness, for a year straight no less of uptime (& beyond, this reply is quite old actually):

----

PERTINENT QUOTE(s)/EXCERPT(s):

http://www.xtremepccentral.com/forums/showthread.php?t=28430 [xtremepccentral.com]

"...recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual. Now I don't recommend this for the average joe, but it if can work for a kids PC it can work for anything!"

and

http://www.xtremepccentral.com/forums/showthread.php?s=10f9ba9ad5ff990aaae1e7ec91f593a2&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)"

Thronka - forums member @ xtremepccentral.com

----

By the by:

I actually wrote the FIRST "Security & Speedup guide" for Windows (1997-2001 -> http://www.neowin.net/news/main/01/11/29/apk-a-to-z-internet-speedup--security-text [neowin.net] for NTCompatible.com (& that's Neowin's "take" on it, an excellent rating no less)...

AND, which is now carried forward to today & does well here & elsewhere online!

(HOWEVER? The latest version above is MOSTLY on security now though, rather than speed ups, because that IS the "bigger problem" out here nowadays)

It's done well, & to the tune of:

----

A.) WELL over 250,000++ views online in 2 yrs. time online, across 15 forums online

B.) It's often been made an "Essential Guide" on 15/20 forums its on

C.) It's often been made a "Sticky/Pinned" thread on 15/20 forums its on

D.) It's often in the "most viewed" on 15/20 forums its on

E.) It's often "5/5 star rated" etc. et al (on 15/20 forums it is on)

----

(In fact - Search "HOW TO SECURE Windows 2000/XP" online, & you'll see it "owns" the top spot & top 50-100 in fact -> http://www.tcmagazine.com/forums/index.php?s=b35dfec0da75d7dab52dab8b321d373e&showtopic=2662 [tcmagazine.com] and many others in that return recordset from GOOGLE & from many of the others sites its featured on...)

APK

P.S.=> To quote TONY STARK from the hit film of 2008, IRON MAN? "IT WORKS"... apk

So... (3, Funny)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#30787588)

Who else suspects that Google is stepping up internal use of Chrome?

Internet Explorer 6 is older than the Euro (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30787626)

Next time somebody tells you that their organisation can't switch from Internet Explorer 6 because of legacy intranet applications, point out that virtually all of Europe switched from their own centuries-old currency to the Euro in less time than it's taking to get rid of Internet Explorer 6.

Re:Internet Explorer 6 is older than the Euro (2, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#30787712)

The difference is benefits vs drawbacks. With the Euro, the county (especially the smaller countries) got a lot more buying power and therefore more wealthy for minimal risk. With switching from IE 6 the company will -lose- money, especially in the short term to change from IE 6 and get little in the long term. Why fix what isn't broken (in the eyes of management). All the management sees is that it would cost $10K to go from IE 6 to IE 7 for a savings of $0.

Re:Internet Explorer 6 is older than the Euro (0)

Anonymous Coward | more than 4 years ago | (#30787838)

They only understand pain and closing of the barn doors after the horses have gotten out. Not worth wasting your breath talking about ticking time bombs until after the explosion and demise, and often that isn't enough, hence the continued usage of failed technology.

Stupid (1)

omb (759389) | more than 4 years ago | (#30789544)

This is such a dumb American attitude, I hope your Company can work without its intellectual property and computer systems. I assume you dont have insurance as well!

Re:Internet Explorer 6 is older than the Euro (0)

Anonymous Coward | more than 4 years ago | (#30789928)

With the Euro, the county (especially the smaller countries) got a lot more buying power

Read Economics 101 or something. Adopting a different currency when you already have a convertible currency does NOT increase your buying power. It MIGHT have the following advantages:

- You save money on conversion fees.
- Your export or import MIGHT gain advantage if your previous currency was in steady decline or rise respectively.

Re:Internet Explorer 6 is older than the Euro (2, Interesting)

Grygus (1143095) | more than 4 years ago | (#30790668)

To be fair, the case we make for IE8/FF3/Win 7/whatever is the same spiel we gave them to get them to switch to IE6/FF2/Win 98. It's a never-ending treadmill, it's not surprising that they'd see the entire enterprise as a bottomless money pit and want to get off at some point.

Re:Internet Explorer 6 is older than the Euro (0)

Anonymous Coward | more than 4 years ago | (#30789136)

Yeah, but what's the Euro-Pound exchange rate?

Video of the Exploit in Action (5, Informative)

danielkennedy74 (1543159) | more than 4 years ago | (#30787634)

The following links to an example of using this vulnerability in Metasploit to compromise a user's PC, in essence what happened to users at Google and some 30 other companies via bad actors assumed to be Chinese Nationals: http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ [praetorianprefect.com]

IE6 (1)

ZeroSerenity (923363) | more than 4 years ago | (#30787658)

While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.

Re:IE6 (0)

Anonymous Coward | more than 4 years ago | (#30788110)

Actually, the bug is the same on IE7/IE8, but the heap layout changes on IE7 and requires a different way to fill the old object pointer. On IE8, DEP is enabled by default, so even if you can return to the heap you don't get code exec. However, you don't have to return to the heap...

Re:IE6 (3, Insightful)

RobertM1968 (951074) | more than 4 years ago | (#30788160)

While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.

Really? What do you base that on?

- First, there have already been a ton of exploits for IE7 and IE8 - and even some patches.

- Second, Microsoft never seemed to say that IE7 or IE8 were not vulnerable. They very carefully said this instead:
"At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

That states there are other affected versions... but Microsoft hasn't seen attacks against them. I could care less what Microsoft has seen... they also "saw" XP and IE6 as secure (pre Service Pack 1).

It also means the other affected browsers are... IE4? IE5? IE7? IE8? I wonder which ones of those are the ones they are talking about? I could almost bet you that it's not a pre-IE6 browser that they are talking about.

Re:IE6 (0)

Anonymous Coward | more than 4 years ago | (#30788336)

The exploit was quite clearly effective against all versions of IE. It was least effective against IE8, but it does work if you disable DEP.

I would ask if IE6 was necessary, but today I was configuring HP blades. It appears that not only is IE required for the iLO Advanced Remote Console / Virtual Connect Manager task, but IE6 is to accomplish this task with the least difficulty. IE8 works in compatibility mode for most things (remote graphic console through Active-X, menus and javascript), but not for all. Remarkably Firefox was required to enable some menu pulldowns, though it's not compatible with most of the rest of it - so the task requires at least two modern browsers. It was necessary to engage both IE8 and Firefox, and I'm still not sure if all the options available in IE6 were available.

Having an XP client with IE6 would have been handy for this task, and in the future I'll have one in a VM for that. But today it was a straight nuisance.

HP needs to get their act together with regards to web admin of their servers. If you can't admin an HP server over the web, they have no compelling advantage over Dell. Standards compliance is the best way to solve this problem but somehow I doubt they'll choose that course.

/anon for obvious reasons.

Yeeehawww! I NEED THIS LIKE A DIRTY DIAPER! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30787768)

Oooops! Ie6 did a dootie.

How to mitigate IE6 security issue (0)

Anonymous Coward | more than 4 years ago | (#30787998)

See how to mitigate the IE6 vulnerability using Group Policy here http://www.grouppolicy.biz/2010/01/how-to-mitigate-kb979352-a-k-a-google-china-security-vulnerability-using-group-policy/

Sorta like irony. Sorta. (1)

Eil (82413) | more than 4 years ago | (#30788352)

Anyone else find it amusing that Google has its very own web browser [google.com] yet IE6 is apparently still widely deployed on their desktops?

Re:Sorta like irony. Sorta. (1)

dtml-try MyNick (453562) | more than 4 years ago | (#30789610)

Given the fact that the use of a web-browser is the main source of income for Google combined with the fact that IE6 still has a 10% market-share..
I'd be willing to bet that a shitload of people working at google simply need IE6 in one form or another to get their job done.

Re:Sorta like irony. Sorta. (2, Informative)

LordThyGod (1465887) | more than 4 years ago | (#30790556)

Not at all. This is the MS legacy: install XP, then install Firefox (Chrome, Safari, whatever). But you can't uninstall IE, and if you never use it, its sitting there at 6. And the exploit does not require actively opening the browser, just that its installed. One more reason to run away from anything from MS. How MS got away with claiming that the browser is so integral to the OS that it can't be uninstalled, is one of the great mysteries of the universe.

Re:Sorta like irony. Sorta. (1)

ColdWetDog (752185) | more than 4 years ago | (#30791336)

Dear Mr. LordThyGod:

Your statement:

How MS got away with claiming that the browser is so integral to the OS that it can't be uninstalled, is one of the great mysteries of the universe.

Leads me to think that your Deity card needs to be revoked or significantly downgraded. If that is one of the 'mysteries of the Universe", how the hell are you going to deal with something complex like calculus? I really don't think you ought to be running things, sir. Would you step this way please?

Finally! Maybe.. (0)

Anonymous Coward | more than 4 years ago | (#30788416)

Hopefully now that there's been this wide scale attack on major corporations, all IT departments can finally force dropping the browser for security reasons.

Google just wanted to pick a fight with China (1)

cenc (1310167) | more than 4 years ago | (#30788470)

I can not believe that Google, with all of its vast resources and years online, that a few email accounts getting hacked all of sudden set them off to pull out of China. They are pretending to the press as if this is something special or new on the internet that China is doing, or that these couple of "attacks" from China are too much. Google has got to be just hammered by Chinese attackers, and they make it sound like no other gmail account has ever been hacked. I bet they get thousands of illegally hacked email accounts a day for all kinds of people, from all over the World, by all kinds of means. Hell, I blocked Chinese ISP blocks and cut down on my little server being attacked and spam by about half.

So, what in particular is suddenly special about this one in relation to China?

Re:Google just wanted to pick a fight with China (3, Insightful)

Vicegrip (82853) | more than 4 years ago | (#30789004)

Google had some of its IP stolen too. It's hard to do business in a country where the government has no qualms about stealing your stuff and hurting your customers.

Re:Google just wanted to pick a fight with China (1)

TheRaven64 (641858) | more than 4 years ago | (#30790282)

So? It's not like Google respects other people's IP either. They are engaged in several lawsuits currently for exactly this reason (ironically, one with China).

It doesn't matter which browser. (3, Insightful)

MadMaverick9 (1470565) | more than 4 years ago | (#30788526)

It doesn't matter which browser you're using ...

If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.

Until users change their behavior and start using least-privilege accounts while surfing the web, it's wrong to blame the browser.

Microsoft even says it in their security advisory kb 979352: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

And this applies to any OS: Linux, Windows, Mac OS, etc.

Rootkit - contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior admin access to execute and tamper with system files and processes.

Re:It doesn't matter which browser. (3, Interesting)

dotwhynot (938895) | more than 4 years ago | (#30788660)

It doesn't matter which browser you're using ...

If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.

I don't disagree with it being better not running as admin, but a lot of malware will live quite happily in your userspace. And if a user privileged account is compromised there are privilege escalation exploits to get admin level, for fx rootkit if that is what they are after. MS is on to something with the IE8 protected mode sandbox in Vista/W7, running with lover privileges than even normal user. But it's just one part of this puzzle.

"the attack is very reliable on IE 6" (1)

Arancaytar (966377) | more than 4 years ago | (#30788904)

YES. Finally.

Kill IE6. Kill it with fire.

I really hope they posted it... (2, Funny)

indros13 (531405) | more than 4 years ago | (#30790188)

...to code.google.com.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>