Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft To Issue Emergency IE Patch

samzenpus posted more than 4 years ago | from the protect-ya-neck dept.

Microsoft 79

CWmike writes "Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said, as it also admitted that attacks can be hidden inside rigged Office documents. 'We are planning to release the update as close to 10:00 a.m. PST as possible,' said Jerry Bryant, a program manager with the IE group. Microsoft has updated the security advisory it originally published last week when it acknowledged a zero-day IE vulnerability had been used by hackers to break into the corporate networks of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China."

cancel ×

79 comments

Sorry! There are no comments related to the filter you selected.

hahahaha running scared! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30844746)

n/t

Re:hahahaha running scared! (0)

Anonymous Coward | more than 4 years ago | (#30851270)

Sorry to reply the fp but the patch is ready, The Win update just pestered me to update for this one on a win2k install.

Q: what do you call 250,000 dead haitians? (0, Informative)

Anonymous Coward | more than 4 years ago | (#30844768)

A: A good start!

Yikes (4, Informative)

goldaryn (834427) | more than 4 years ago | (#30844790)

Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7

"Windows 7: with multi-core optimisations and improved app performance, be compromised faster than ever before!"

Re:Yikes (-1, Offtopic)

Dumnezeu (1673634) | more than 4 years ago | (#30844816)

Tough decision: +1 Informative or +1 Flamebait ?

Re:Yikes (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30844846)

tis flaimbait

Re:Yikes (0)

Anonymous Coward | more than 4 years ago | (#30845382)

Yeah.

And where's sopssa gone. She should be first-posting with Microsoft Marketing's finest spin on a story like this.

Is there a power blackout in Redmond?

God Damn Commies !!!!! What can we do about them? (0)

Anonymous Coward | more than 4 years ago | (#30846764)

Us versus them, the Red menance. What can we do about THEM? What can we do TO THEM?

Re:Yikes (1)

Shrike82 (1471633) | more than 4 years ago | (#30844906)

I have Windows 7 Home Premium x64 Edition. Did you forget to copy that part of the list or have my early-adoption habits finally been rewarded? If so then at last all the years of no driver support, software incompatibility and system instability were worth it!

Re:Yikes (5, Funny)

goldaryn (834427) | more than 4 years ago | (#30844960)

I have Windows 7 Home Premium x64 Edition. Did you forget to copy that part of the list or have my early-adoption habits finally been rewarded? If so then at last all the years of no driver support, software incompatibility and system instability were worth it!

Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems
Non-Affected Software
Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4

Hahahaha. Take that Firefox/Chrome/Opera users! I'm running Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4! SucNO CARRIER

Re:Yikes (1)

toleraen (831634) | more than 4 years ago | (#30844978)

Wow, you found a patch that affects most of Microsoft's Operating Systems. Rare indeed. [microsoft.com]

Re:Yikes (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#30845146)

Seems to me that if one doesn't open unknown documents from untrusted sources, one is probably pretty well protected from this. Though if you leave the default settings in place - to allow documents to be opened inside of your web browser- then you'd be vulnerable via iframes and malicious advert content. (Actually ... is that still the default setting in IE?)

Re:Yikes (1)

tuxgeek (872962) | more than 4 years ago | (#30846188)

Social engineered malware is a bitch
I know someone that downloaded and opened one of those flashy virus cleaning apps off the internet
Then was puzzled when her system went screwy

You can't patch stupid

Re:Yikes (1)

tlhIngan (30335) | more than 4 years ago | (#30847332)

Seems to me that if one doesn't open unknown documents from untrusted sources, one is probably pretty well protected from this. Though if you leave the default settings in place - to allow documents to be opened inside of your web browser- then you'd be vulnerable via iframes and malicious advert content. (Actually ... is that still the default setting in IE?)

Social engineered malware is a bitch
I know someone that downloaded and opened one of those flashy virus cleaning apps off the internet
Then was puzzled when her system went screwy

Hell, the common way is to pass around pirated software. The software's clean, but the serial number is stored in an infected (purposely) doc file, or the keygen was wrapped with a trojan. So joe user just blindly double-clicks the keygen or document (which may also be how to install, etc), and can get the serial number he needs.

The Mac, however, has the most unique way yet of hiding malware as part of an application installer bundle (see Microsoft Office and Snow Leopard - a hidden service was put in the image that connected your Mac to a botnet).

Hell, an infected word doc with passwords to porn sites will probably cause half the "don't click on wierd documents" people to eagerly click away. A la Bender.

Re:Yikes (0)

Anonymous Coward | more than 4 years ago | (#30856312)

Windows 7 makes this even easier with the preview pane. If you're on a 32-bit system with the preview pane active, merely clicking on (or using your favorite keyboard method of turning the icon blue) the file once, as one may do to check the properties will in fact load the file in WinWord.exe and it's game over. I am happy to bask in my 64-bit superiority and am happy that 32-bit (and 16-bit!) are both falling by the wayside, as microsoft's 64-bit initiative seems to coincide with its security initiative, so at least some flashy happy clicky people will be spared by virtue of having purchased a new computer, a rarity that I think everyone on /. should be celebrating with a moment of silence.............moment of silence over, back to microsoft bashing.

Re:Yikes (0)

Anonymous Coward | more than 4 years ago | (#30853782)

You can't patch stupid

All too true. Though of late I'm thinking it's more "happily unaware" than "stupid" -- if someone's primary job isn't computers, there is no need (from their perspective) for them to get educated.

Frankly, if all the money the Ad Council spends on anti-drug ads were to be spent on computer safety, they might have made a different to someone...

Re:Yikes (1)

Ol Olsoc (1175323) | more than 4 years ago | (#30863200)

Remember Fanbois, blame the victim!

At some point, some where, you really do look pretty dumb trying to blame all the flaws on everyone else but Microsoft.

I reached the point of not defending them some time ago. You may take longer. If it makes you feel better to defend them, have at it. But you sound like Audi engineers trying to blame the owners of their cars when the electronics failed and the throttles went wide open.

But if I were to use your logic, the best way to blame the victim is to note that they used the product in the first place, eh?

Just sayin'

Re:Yikes (5, Insightful)

Hurricane78 (562437) | more than 4 years ago | (#30845176)

Looks like a basic architectural problem. Or else it would nor persist as long, trough so many changes.

No need to bash MS on top of the usual, because Win7 still has it. Think of a basic core library that just works since back then and does not need changing. You overlooked something, and someone found a way that you did no think about.
That’s normal, an can happen to anyone.

It’s usually not the bugs that are the problem. Everything has bugs.
It’s the way MS handles fixing them. With massive denial, attacking others for mentioning it, and then a very very late, half-assed patch that needs another patch to patch the patch.
That’s the real problem.

Would MS just have a normal bugzilla, and in the normal case quickly fix the important bugs, I would have no problem with that. Mozilla does it just like that. And even Mozilla has a couple of long-standing bugs. I guess every big software has them. Because every software has a base architecture that you can only re-build every so many years in the complete rewrite. So bugs that don require that architecture to change can’t simply be fixed.
Oh, that reminds me, that for IE, that rewrite is long overdue. That’s the reason there are so many big bugs in there. But I don’t see MS doing a complete rewrite, unless they are forced to completely throw away the old Trident engine.

Re:Yikes (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30845562)

Firefox is a turd, and an operating system is not a browser.

Re:Yikes (1)

Runaway1956 (1322357) | more than 4 years ago | (#30845988)

Yeah. Whatever. I'm waiting for someone to clone NTKernel. Just think, Windows XP - Open Source version. Hey - they did it with NTFS, just a little more work, and we can have the kernel.

Seriously - XP might be a decent system, if it were released OPEN SOURCE, so that people are motivated to contribute vulnerabilities and fixes.

Re:Yikes (1, Informative)

Anonymous Coward | more than 4 years ago | (#30846434)

Yeah. Whatever. I'm waiting for someone to clone NTKernel. Just think, Windows XP - Open Source version. Hey - they did it with NTFS, just a little more work, and we can have the kernel.

Seriously - XP might be a decent system, if it were released OPEN SOURCE, so that people are motivated to contribute vulnerabilities and fixes.

That already exists: ReactOS [reactos.org] .

Re:Yikes (1)

Orbijx (1208864) | more than 4 years ago | (#30846476)

Erm.
Isn't that the goal of ReactOS [reactos.org] ?

I may be wrong, but it's a shot.

Re:Yikes (0)

Anonymous Coward | more than 4 years ago | (#30847430)

NTFS doesn't even support writing new files.

Re:Yikes (1)

Runaway1956 (1322357) | more than 4 years ago | (#30855262)

You err. I routinely mount my NTFS partitions with read and write permissions under Linux. There are several Linux rescue disks (liveCD's) now which can mount the drive on which your Windows installation resides, scan for viruses, trojans, etc, edit the registry, delete the passwords, write new directories and files - anything you might wish to do. There are also several forensics suites for Linux that manipulate anything on an NTFS drive.

STABLE Version 1.0 (February 21, 2007) - Release Notes

        * Change: document and release version update to stable status.

http://www.tuxera.com/community/release-history/ [tuxera.com]

Re:Yikes (2, Funny)

Anonymous Coward | more than 4 years ago | (#30845742)

So my father-in-law who's still on Windows ME is safe then?

Re:Yikes (1)

3vi1 (544505) | more than 4 years ago | (#30845764)

"One thing we have got to change in our strategy - allowing Office documents to be rendered very well by other peoples browsers is one of the most destructive things we could do to the company. We have to stop putting any effort into this and make sure that Office documents very well depends on PROPRIETARY IE capabilities." - Bill Gates, 1998 memo to Office product group.

Brrrrrrr! Sorry. Wrong Name. (0)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30844796)

It should have been called a band-aid (over a gaping hole in the chest cavity.)

Re:Brrrrrrr! Sorry. Wrong Name. (3, Funny)

Rogerborg (306625) | more than 4 years ago | (#30844908)

In Microsoft "it's not an emergency, it's an..." parlance, that would be an out-of-band-aid.

Attack targeted perforce repositories? (2, Insightful)

Distan (122159) | more than 4 years ago | (#30844814)

Reat that the attack targeted Perforce repositories. Haven't heard if any other source control systems were targeted.

Pretty clever way to gather intellectual property; I'd never considered it before, but for many companies if you can download their repository data then you have their crown jewels.

Re:Attack targeted perforce repositories? (1)

maxume (22995) | more than 4 years ago | (#30846460)

Sort of. In many cases, customer relationships and knowledge of the codebase are a lot more valuable than the actual code.

Google has BACKED DOWN in China (1)

hackingbear (988354) | more than 4 years ago | (#30848302)

This is not quite off-topic. I have attempted to post the reports that Google has backed down in China and re-enabled search result filtering in Google.cn [slashdot.org] in the last two days, but /. editors keep refusing to put it in the front page. Right, how can we criticize our new found American hero defending the precious "freedom"? How can a hero backing down to the evil China? Hero can't make fundamental principle error, or you are not allowed to know when it does. Can someone find a way to post this report?!

Define Emergency (2, Insightful)

sipatha (1162265) | more than 4 years ago | (#30844820)

Is it still an emergency since its been some time now since the vulnerability was made public? The best patch is to use a different browser

Re:Define Emergency (4, Informative)

Rogerborg (306625) | more than 4 years ago | (#30844872)

Literal answer: Microsoft classes anything that's not released on Patch Tuesday [wikipedia.org] as an emergency (aka "out of band", but potaYto, potaHto) patch.

Another blow to Open Office. (4, Funny)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30844854)

"Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said as it also admitted that attacks can be hidden inside rigged Office documents. '

Now to be 100% compatible with Microsoft Office, the OpenOffice developers have to work day and night to get this bug/hole/exploit to work exactly the same way in OpenOffice too. I have heard OpenOffice people bitch and moan, "Microsoft keeps changing file formats and APIs deliberately forcing us to do so much of work catching up", now I sympathize. I understand how difficult it would be to code up a gaping security hole that works exactly like it does in the De-Facto Standard.

That brings up another issue. The ISO committee now has to redo the standards to allow this exploit into the OOXML-is-standard-too document. But fortunately the 6000 page standard definition was already in the form of a doc file with this specially crafted backdoor in place. So Microsoft was able to step in, do the modification needed, and set the flags to erase all evidence of the edit and exit. The committee chairman Soldou Tothem expressed his gratitude to Microsoft and complimented their foresight in incorporating such back doors into the standards document.

Re:Another blow to Open Office. (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30844916)

Sorry... that joke wasn't funny the first couple hundred times. Dragging it on for multiple paragraphs just further exemplifies your lack of a sense of humor.

Re:Another blow to Open Office. (-1, Flamebait)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30845030)

Sorry... that joke wasn't funny the first couple hundred times.

You are probably sorry for having paid 579$ + S&H for MsOffice super-ultimate-macho edition. Not for the apparent lack of humor in the posting.

Re:Another blow to Open Office. (-1, Troll)

Valdukas (247053) | more than 4 years ago | (#30845308)

No, they have actually included an undocumented OOXML attribute crashLikeWord97

Re:Another blow to Open Office. (1)

Yvanhoe (564877) | more than 4 years ago | (#30845934)

You almost made me cry...

Re:Another blow to Open Office. (1)

VGPowerlord (621254) | more than 4 years ago | (#30846032)

Now to be 100% compatible with Microsoft Office, the OpenOffice developers have to work day and night to get this bug/hole/exploit to work exactly the same way in OpenOffice too. I have heard OpenOffice people bitch and moan, "Microsoft keeps changing file formats and APIs deliberately forcing us to do so much of work catching up", now I sympathize. I understand how difficult it would be to code up a gaping security hole that works exactly like it does in the De-Facto Standard.

No, the OpenOffice developers will work day and night to make this bug/hole/exploit to work similarly to, but not quite the same as, Microsoft Office.

While I welcome the patch.... (2, Informative)

MtViewGuy (197597) | more than 4 years ago | (#30844856)

....I've already moved on to using Firefox 3.5.7 and Chrome 3.0.195.38 as my primary web browsers. The reason is simple: IE 8.0 is dog slow at times in web page rendering.

Re:While I welcome the patch.... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30845168)

I wish MS would make a version of IE that ran in the popular Linux distros without emulation, then I could use it and be vulnerable as well.

Re:While I welcome the patch.... (0)

Anonymous Coward | more than 4 years ago | (#30847662)

And yet you're already out of date: http://www.mozilla.com/en-US/firefox/personal.html?from=getfirefox

Re:While I welcome the patch.... (1)

shutdown -p now (807394) | more than 4 years ago | (#30848534)

IE8 isn't really slow at rendering. It's mostly that its JS implementation sucks, both raw execution speed (it's an interpreter, not even bytecode AFAIK), and DOM manipulation. Hence it works fine on static sites, but anything heavily Web-2.0ish, like Slashdot, kills it real fast.

Shows difference between IT and politics (5, Insightful)

thijsh (910751) | more than 4 years ago | (#30844860)

It only shows that warnings are never heeded when coming from the insiders and professionals. It takes global companies and several countries to ring the bell for MS to step up and patch exploits faster...
It's not really news that lots of exploits could (and probably were) abused for espionage (both corporate and international). But only now that 'teh evil chinese' are happily hacking along some action is taken.
This is exactly the kind of problem that could be avoided by listening to security experts.

Thanks M$ for giving a crap about the security of users, companies and countries... You're a few years too late stepping up the game, but please keep it up, we might as well have security as an afterthought instead of no security at all.

stolen source (3, Insightful)

mikem170 (698970) | more than 4 years ago | (#30844862)

Microsoft source code is out there somewhere - some was stolen and out on the internet at one point. Isn't some of it also available to certain partners? It wouldn't surprise me if these hacker groups had copies of the source code and a library of exploits to use that nobody else knows about.

Re:stolen source (1, Funny)

Anonymous Coward | more than 4 years ago | (#30845328)

Microsoft source code is out there somewhere - some was stolen and out on the internet at one point. Isn't some of it also available to certain partners? It wouldn't surprise me if these hacker groups had copies of the source code and a library of exploits to use that nobody else knows about.

Are you suggesting that having access to the source code makes it easier for these hacker groups to find exploits?

Better keep that kind of blasphemy to yourself. It won't make you many friends around these parts.

Re:stolen source (2, Insightful)

Erikderzweite (1146485) | more than 4 years ago | (#30845694)

It merely shows yet another weak point in closed source development model -- if the code is leaked or given to bad guys, they can thoroughly analyze and exploit it while good guys can't do anything about it -- they have no legal means to obtain and analyze the code.
Open source development model does not, of course, have such issues with source code in the wild. Black hats can look at the code in both cases, but open development model is better because it easily allows white hats to have a good look too.

Yet another example that security through obscurity won't work, nothing really new here.

Re:stolen source (0)

Anonymous Coward | more than 4 years ago | (#30848168)

Parent is totally right. There are certainly a lot of closed source programs which are written like crap. Many companies don't really care about security in their products as long as there are no vulnerabilities disclosed. When there are, they will (of course) provide a patch. That way, it looks like they care, while in fact they don't. If a bad guy can take a look at the code, he can probably find tons of vulnerabilities and exploit them without someone ever noticing it.

I have seen this situation especially in industrial embedded systems... machine controllers are accessible over the internet, authentication is done over a proprietary protcol and the server code looks like it was written by someone who learned programming with a 10min "how-to".

Re:stolen source (3, Insightful)

rtfa-troll (1340807) | more than 4 years ago | (#30845536)

Microsoft has given the Chinese government preferential access to the Windows Source code [cnet.com] . They even set up a lab of security researchers to look for vulnerabilities [cnet.com] in the code. I don't think leaks onto the internet have anything to do with it. It's kind of like all the possible disadvantages of OSS with none of the advantages.

Re:stolen source (1)

Culture20 (968837) | more than 4 years ago | (#30845816)

Microsoft has given the Chinese government preferential access to the Windows Source code. They even set up a lab of security researchers to look for vulnerabilities in the code. I don't think leaks onto the internet have anything to do with it. It's kind of like all the possible disadvantages of OSS with none of the advantages.

So essentially, it's NSA vs. China's group in a bughunt competition, and few if none of our "allies" can help, including MS.

Re:stolen source (2, Insightful)

TheRaven64 (641858) | more than 4 years ago | (#30847402)

The MoD in the UK has had access to the Windows sourcecode since at least NT4, and so GCHQ probably has people looking at it too. Note, however, that this license does not give them the right to compile their own binaries, so even if they find a bug, they can't fix it. All they can do is use it to attack other people, while remaining vulnerable to it. Makes you wonder why they still use Windows, really.

Re:stolen source (1)

shutdown -p now (807394) | more than 4 years ago | (#30848588)

Microsoft has given the Chinese government preferential access to the Windows Source code

It's not "preferential". Any government can get Windows source code for security analysis under the Government Security Program [microsoft.com] - it's just that Chinese were the first to jump on that bandwagon (it should be noted that there were similar programs in place before GSP, so China was only the first in GSP, not the first to get access to Windows source code in general).

Also, universities can (and do) get access to the source code [microsoft.com] for study and research purposes.

Re:stolen source (1)

rtfa-troll (1340807) | more than 4 years ago | (#30853480)

It's not "preferential". Any government can get Windows source code for security analysis under the Government Security Program [microsoft.com]

It's preferential over my company which (like most others) does not have this access and cannot use that as a benefit.

- it's just that Chinese were the first to jump on that bandwagon (it should be noted that there were similar programs in place before GSP, so China was only the first in GSP, not the first to get access to Windows source code in general).

I'm fully aware that the NSA also had preferential treatment (look up "NSA Key" on Google some day) and that any other government can now arrange the same in principle. However, apart from the US, where Microsoft comes from, this was not previously being extended to other places. Then China started threatening to use Linux and the source code access was set up specifically for them. It's not an accident that they were first in. It was their deliberate choice to get a head start.

Re:stolen source (1)

shutdown -p now (807394) | more than 4 years ago | (#30853786)

It's preferential over my company which (like most others) does not have this access and cannot use that as a benefit.

Well, my point was that China in particular didn't get preferential treatment. Government organizations in general do, yes, but there are still many of them (note that a particular government organization may also get the code for its own internal use, not necessarily the government as a whole).

Also, there is a similar program for companies [microsoft.com] . It would cost you a lot (since you need to have 1500 licensed Window seats under an "enterprise" support agreement - I don't think you'll need the actual physical seats, though), so yes, it is discriminative, but nonetheless, if you want the source, you can still get it.

I'm fully aware that the NSA also had preferential treatment (look up "NSA Key" on Google some day) and that any other government can now arrange the same in principle. However, apart from the US, where Microsoft comes from, this was not previously being extended to other places.

This is incorrect. For example, Russian government conducted security analysis (and certification) [windowsitpro.com] of Windows XP & 2003 source code in 2003, under the GSP. In fact, it seems that my previous statement that China was first to use GSP is incorrect, since the article claims Russia to be the first one to do so.

THAT'S WHAT WORKS AGAINST "OPEN SORES" (0)

Anonymous Coward | more than 4 years ago | (#30847474)

Per my subject-line above, & this quote from yourself next below - well... I'm sure you've all heard of considered what I stated above before, but... here goes:

"Microsoft source code is out there somewhere - some was stolen and out on the internet at one point. Isn't some of it also available to certain partners? It wouldn't surprise me if these hacker groups had copies of the source code and a library of exploits to use that nobody else knows about." - by mikem170 (698970) on Thursday January 21, @08:20AM (#30844862)

You're probably correct on that note, & THAT is the truly dangerous part... the things that we do NOT know about (yet).

(Still, it does have its merits, in those that do "hacking/cracking", in "black hats" as they're commonly referred to as (as well as those who are considered "white hats" also) - BOTH parties I refer to do a good thing, in that they BOTH point out what needs "shoring up")...

APK

P.S.=> Still, per your statement, & what I noted in my subject-line? Think this doesn't "work against" what's commonly called "Open Source" (pardon my 'pun'/joke above in my subject-line, because OPEN SOURCE per your very ideas? It really COULD be referred to as "OPEN SORES", & for the EXACT SAME REASONS YOU NOTED really!

(However, of course? Open Source also helps for making patches faster & from MORE FOLKS since more folks have access to the actual sourcecode of any Open Source app too - yes, it's a real "double-edged sword" type situation, for BOTH closed source & open source))... apk

In Communist China ... (-1, Troll)

ACK!! (10229) | more than 4 years ago | (#30844892)

the software compromises you! Yes, someone else can come up with something more clever but man this is such an opportunity for a new meme.

Another reference (1)

dkleinsc (563838) | more than 4 years ago | (#30845010)

More information about this story can be found here [slashdot.org] .

Affected software list (2, Insightful)

magamiako1 (1026318) | more than 4 years ago | (#30845370)

From my understanding, every version of IE is vulnerable to the exploit, however not every install of IE is vulnerable. There are claims that "IE8 with DEP on" is vulnerable, but it says nothing about the combination of DEP and UAC.

http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8?taxonomyId=17&pageNumber=2

Essentially, if you're using back versions of the operating system and don't keep updated, you're vulnerable. What makes this exploit different from a lot of others is that it has such a large attack surface. However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.

Re:Affected software list (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30845704)

However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks.
 
  Err... no. Every version of Windows that embeds IE is vulnerable, including your precious Win 7. You can guarantee that the patch will cause further problems - things that worked OK before will now be broken. It has now got to the point that Windows is completely unmaintainable - both for home users (who wont understand the problem anyway) and for commercial users (who will be seeking a safer Open Source solution right now).
 
Remember - any proper operating system is invulnerable to ALL the exploits aimed at Windoze...
 
  Game Over, Microsoft

Re:Affected software list (0)

Anonymous Coward | more than 4 years ago | (#30846312)

It has now got to the point that Windows is completely unmaintainable - both for home users (who wont understand the problem anyway) and for commercial users (who will be seeking a safer Open Source solution right now).

I completely agree. Right now it is very hard for home users to use Automatic Updates [microsoft.com] or Microsoft Update [microsoft.com] . And for commercial users? It sucks that there isn't anything out there that allows administrators to centrally control the update process [microsoft.com] .

Dear MS, please use this as the excuse to kill IE6 (1)

Safety Cap (253500) | more than 4 years ago | (#30848236)

If only they would stop issuing patches and updates for IE6 and earlier, then we could get on with dropping all support, everywhere, for this POS browser.

Re:Dear MS, please use this as the excuse to kill (1)

magamiako1 (1026318) | more than 4 years ago | (#30849248)

With this I completely agree. I furthermore think they should completely discontinue support for Windows XP. I'm at a huge fight in our organization at the moment regarding the move to Windows 7. I'm getting met with a lot of resistance when we don't actually have an excuse to stick on XP. We already pay for the licensing for 7....

Re:Affected software list (1)

RobertM1968 (951074) | more than 4 years ago | (#30849380)

However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.

Incorrect. As it is, UAC does not seem to stop various "visit a site" .NET/Active X exploits that Microsoft claims they have finally (6th time) fixed. Nor does DEP prevent them. Nor does the combination of the two...

..."oddly" enough, UAC does often prevent some updates unless a user confirms them... unless they are automatic, and use the same exploit method used by some of the malware out there.

Thus, IE7 and IE8 on Vista or Win7, even on the default configurations, is still vulnerable. Something even Microsoft finally admitted to in their most recent revision to their earlier document.

Re:Affected software list (1)

magamiako1 (1026318) | more than 4 years ago | (#30853848)

Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.

Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.

But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.

The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.

Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.

If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.

If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.

Re:Affected software list (1)

RobertM1968 (951074) | more than 4 years ago | (#30856220)

Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.

Oh, so you have already read about conditions where this happens? Guess I dont have to answer this one then, do I?

Besides, I already gave you an example earlier. But just for shits and giggles, here's one that references the chances at 1% on IE8/Vista or IE8/Win7:

DEP Bypassed [technet.com]

Now, while 1% seems a trivial number, it is actually quite large when installed base is taken into account... or only a few million machines.

Then add to that, such an exploit can be attempted multiple times on a machine, which raises the likeliness of the exploit working.

And here's one more recent that states it is even more likely and has been proven to be possible:

Aurora Exploit [darkreading.com]

Hmmm... does that one sound familiar? Maybe the one this patch is supposed to address?

Or this one: Crappy Ass Microsoft Javascript implementation vector for bypassing DEP [vupen.com]

And one that was made available to govts and large security software vendors: DEP being bypassed [dailyradar.com]

And one (just to add it to the list) to bypass XP and hardware DEP: ANI Cursor Exploit [milw0rm.com]

Should I go on? There are TONS of pages I can go through... and I havent even started on the hotfixes and other patches Microsoft has released to fix earlier issues with DEP and UAC.

Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.

But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.

Hmmm... I dunno... what did the .NET stuff do for both Firefox and IE? Is .NET really truly fixed this time? This is the 6th major attempt to do so, and probably the few dozenth attempt overall.

The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.

True... but then again, I make most of my "repair" money at the company I work for from fixing virus ridden machines running on default settings (DEP and UAC enabled) from customers who have (or claim to have) done nothing and clicked on nothing - other than visiting malicious sites before the most recent .NET patch.

Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.

If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.

When exactly does it do that? And you realize there are mechanisms built into Windows Vista and Windows Seven to bypass UAC, correct? I'm cleaning a machine right now with Vista on it (and UAC & DEP enabled), where winlogon was infected (along with just under 100 other files).

If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.

I agree... but that is not needed in various scenarios, such as the .NET exploit that was supposedly patched just recently (for the umpteenth time).

If the user never gets the prompt... well then? Hmmm...

I blame the user for a lot of the stuff I see come into our shop... I blame Microsoft for others. I've done reinstalls and reinfected machines on their default install, that did not have the very recent .NET fix just for kicks. The machine we just finished here didnt even get the most recent Service Pack or tons of other updates because of how wonderfully it was infected. One that left a few days ago even had the whole TCP/IP stack infected.

Fun stuff... and not always (though quite often) the user's fault.

Re:Affected software list (1)

magamiako1 (1026318) | more than 4 years ago | (#30856360)

All you've linked to was DEP being bypassed. That's fair enough. But DEP is not UAC.

All an exploit has to do to is execute on the system to be considered working. But code that's executing at all is a far cry from code that's executing with Administrative privileges.

If this weren't the case, there wouldn't be such a huge push in the linux world for users to "never run as root".

I'm not downplaying that the browser was vulnerable, it very clearly was. What I'm trying to make a point of is that when you use IE8 on Windows 7 with UAC maxed out and DEP on, even if an exploit is able to get through--it still will have to bypass UAC to do any serious damage.

The fact of the matter is, users will tell you they don't do anything wrong. If you've worked support long enough you know that unless you have absolute proof, they will deny it until the end of time. And when you catch them lying, they still deny it. In fact, the only time I've been able to get someone to admit they screwed up is when it was their job on the line.

I would guess that a VAST MAJORITY of security problems are the users' faults.

Either way, none of this defeats the fact that IE8 on Windows 7 with UAC kicked up is your best protection against any of these attacks, short of using something like Chrome which provides extra sandboxing.

Re:Affected software list (1)

RobertM1968 (951074) | more than 4 years ago | (#30856508)

All you've linked to was DEP being bypassed. That's fair enough. But DEP is not UAC.

Just use Google... "UAC being bypassed exploit"

Due to the elevated COM object which controls UAC being on the whitelist (list ... just the Windows ones and the ones that bypass the prompts via exploits. ...

Hmmm... smell like the recent .NET exploit that I already mentioned 3 times in these threads?

Yes, the majority of the issues are probably user error.

That's not my issue at hand... people who claim that UAC and DEP are inpenetratable are my issue. They are not. They have been exploited numerous times in the past. Microsoft keeps releasing shoddy patches that do not address the underlying faults in the architecture of them. Thus this problem will never really be fixed... hence, lets see... 2 service packs and what is it now... 60? 70? other hotfixes and updates to Vista? And it still isnt fixed?

Either way, none of this defeats the fact that IE8 on Windows 7 with UAC kicked up is your best protection against any of these attacks, short of using something like Chrome which provides extra sandboxing.

BINGO! To me, that reads (combine this sentence with the paragraph above about them not really fixing the underlying problem): "Windows 7 with UAC is your best option other than any other option on Windows 7, because Microsoft will not ever fix the underlying problems in UAC, DEP and .NET/Active X"

Really, it's not rocket science. They simply will not fix the stuff properly because of their dependence on Active C and .NET (a dependence that grows every time they release some new "technology" like Silverlight), thus, exploits will always exist, and Microsoft will get around to patching specific vectors once enough bad press has hit the Internet, still leaving the underlying mechanism broken due to the ancient, fragile, hole ridden Active X and .NET underlying architecture used via their browser - and now, add to that list, their pathetic, exploitable, slow Javascript engine.

Re:Affected software list (1)

magamiako1 (1026318) | more than 4 years ago | (#30858588)

Despite all of your ranting on the .NET exploits that you're talking about, you have yet to provide me any links to any information on any .NET exploits that bypass UAC.

With regards to the UAC mechanism "exploits", kicking UAC to the highest level in 7 (which is the default in Vista) prevents these sorts of attacks from escalating silently. In fact, any of the posts that talk about it should certainly tell you this.

The problem is not an underlying structure issue with UAC and more to do with the fact that UAC was the largest complaint people had on Vista, so Microsoft toned down the requirements. That "any protection" is better than "no protection at all". Though in my opinion, it might as well be no protection at all.

I've tried searching for any updates to .NET or any exploits that you've stated and I just can't find them. So please definitely link me to articles that talk about them and explain how they are vulnerable.

Re:Affected software list (1)

RobertM1968 (951074) | more than 4 years ago | (#30864302)

Or you can learn to use Google. They are there. Or search Slashdot. It's there too. Or simply search through Microsoft's HotFix lists and such for .NET. They have an entire page devoted to it.

So, at this point, with the evidence SO easily findable, I think you just have no interest in reality. Good luck with that.

Attack from the source (3, Interesting)

Judebert (147131) | more than 4 years ago | (#30845578)

As I recall, the Chinese government has access to the Windows source code [cnet.com] . Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows.

While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was.

Re:Attack from the source (2, Funny)

jmorkel (952809) | more than 4 years ago | (#30846300)

Microsoft was right! Open source is a security risk!

Re:Attack from the source (0)

Anonymous Coward | more than 4 years ago | (#30846492)

Why on earth does Google have to use Windows? For their reputation, they should've been out of it a decade ago!

Re:Attack from the source (1)

maxume (22995) | more than 4 years ago | (#30846584)

"having the source gave the Chinese government the opportunity to develop a new attack against Windows" is not an obvious conclusion. Debugging tools are good enough to walk right through algorithms, and stuff like fuzz testing means that you can throw huge amounts of bad data at various functionality and see what it chokes on (rather than doing careful analysis of the source code).

Re:Attack from the source (0)

Anonymous Coward | more than 4 years ago | (#30846626)

Although I agree with your reasoning, I don't agree that MS could ever release it's source code to the wild. It would ruin their OS division. I'm actually surprised they would agree to release their code to China. I would have though there would be restrictions to that given the millions (billions?) of people it potentially exposes to vulnerabilities that only the Chinese and Microsoft could discover.

"Great minds think alike"... apk (0)

Anonymous Coward | more than 4 years ago | (#30847772)

http://tech.slashdot.org/comments.pl?sid=1518574&cid=30847474 [slashdot.org]

We think much the same, per what I stated in response here in that URL above, & per what you wrote which I will now quote:

"While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was." - by Judebert (147131) on Thursday January 21, @09:35AM (#30845578) Homepage

Per my subject-line above, as well as the URL I just posted on this very same subject? We think greatly alike... (not that I consider myself a "great mind", as I only used that old adage to prove my point here... which is, in utter agreement with that which I quoted from you!)

Now, of course, @ least YOU have the "presence of mind" to realize THAT that which I stated also can "hold true" which is the opposing viewpoint you note - however, I do utterly agree that "Open Sores" (lol, just a joke, I don't want Mr. Stallman "coming down on me" here, OR, any of the "Pro Open-Source crew" doing so either, etc. / et al) does lend itself to MORE FOLKS BEING ABLE TO SPOT & REPORT ON, IF NOT PATCH THEMSELVES (well, provided they have a knowledge of programming that is)...

APK

P.S.=> Also per this statement from you:

"As I recall, the Chinese government has access to the Windows source code. Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows." - by Judebert (147131) on Thursday January 21, @09:35AM (#30845578) Homepage

Well... also in that URL above where I replied much along the SAME LINES/TRAIN OF THOUGHT as you have, Judebert? I feel that black-hat "hacker/cracker" types (alongside white hatters too mind you) do the world a "favor", albeit in the case of blackhats, unintentionally (mostly), & I noted it in that URL above: THEY POINT OUT WHAT NEEDS "SHORING UP" & IMPROVING!

("Big Fan" here of this old adage too -> "When life gives you LEMONS? MAKE LEMONADE!" - in other words? In every "bad", there's a GOOD too)... apk

Re:Attack from the source (1)

shutdown -p now (807394) | more than 4 years ago | (#30848600)

In products where the source is available to everyone, there is no advantage to any party.

Not quite; in that case, the advantage is to parties which can afford to allocate more resources to perform a security analysis of said code. Even if you personally were handed the complete source code of Windows, I doubt you'd be able to uncover and fix security flaws faster than Chinese government hackers can.

Re:Attack from the source (1)

RobertM1968 (951074) | more than 4 years ago | (#30849466)

As I recall, the Chinese government has access to the Windows source code [cnet.com] . Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows.

While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was.

While that may have made it easier for them, it does not explain the numerous hackers and script kiddies who have managed to compromise IE7/8 and Vista/Win7 security, even on default configurations; as they did not have access to the source code.

The rest, though I agree with ("holes are found and sealed, etc") is also contingent on other factors when Microsoft is involved.
(1) Holes are only "sealed" when enough media attention is drawn to them - otherwise it's when Microsoft gets around to it, if ever.
(2) The holes are generally poorly patched, and not truly sealed (see the half dozen MAJOR (and tons of minor) .NET fixes to deal with the RCE exploits, where after each one, a very similar exploit was found because the hole was never properly patched, or there were dozens of others that were skipped).

No, I am not trying to bash Microsoft... there are enough others here to do that. I am simply pointing out history as it happened. Every statement above has historical backing to it (#2 I even provided one of many examples).

treason? (0)

Anonymous Coward | more than 4 years ago | (#30846766)

From Wikipedia [wikipedia.org] :

Oran's Dictionary of the Law (1983) defines treason as: "...[a]...citizen's actions to help a foreign government overthrow, make war against, or seriously injure the [parent nation]." In many nations, it is also often considered treason to attempt or conspire to overthrow the government, even if no foreign country is aided or involved by such an endeavour.

msft [google.com]

Et tu, Brute? [wikipedia.org]

Please Tell Me (1)

The Wild Norseman (1404891) | more than 4 years ago | (#30847206)

Is it just me or does the following make sense in a "no, I'm not that paranoid" paranoid sort of way?

Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China."

Google: Hey! We think the Chinese did this!
Security Experts (so-called): Hey! You're right! In fact, we now have evidence that the Chinese did this heinous crime!
Google: Wait! We think that someone in Poland helped out!
SE(S-C): Hey! By golly, you're right again! In fact, we have even more evidence that the Chinese were helped by those crafty Poles!
Google: Wait! We think that the same dudes who tapped into the Predator video-feed also had a devious hand in this!
SE(S-C): Hey! You're really batting a thousand! In fact, we just now received a cached download of the streaming video of Osama bin Laden's laptop showing him punching the buttons!
Google: Yay! Now we can go to the peoples of the world with all this wonderful proof that we don't do evil; evil is done to us!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?