Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites

timothy posted about a year ago | from the now-this-gives-pause dept.

Internet Explorer 157

SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8. ... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"

cancel ×

157 comments

Wow (0, Troll)

colinrichardday (768814) | about a year ago | (#43655035)

Lousy programming from Microsoft, who could have known?

Re:Wow (1)

Jackie_Chan_Fan (730745) | about a year ago | (#43655143)

I dont know, probably a cliche linux zealot on slashdot that blindly hates microsoft.

Re:Wow (-1)

Anonymous Coward | about a year ago | (#43655477)

> I dont know, probably a cliche linux zealot on slashdot that blindly hates microsoft.

That's what someone said last time I called M$ users idiots.

Turns out:

1) It was not (only) because of hate: the products are bad and users are really idiots (and most are in the US and China).
2) Nuclear users are idiots, too. 100% safe when done right... yeah, sure. Keep dreaming, IDIOTS.
3) US people are idiots; someone said socialist governments are agressive (in other newsstory). Do you think we're idiots, too? The nerve some people have...

Have a nice day and, btw, my country is capitalist, too, but people here are taught to be responsible adults, not "the money is mine, mine, all mine". That is not capitalism, that is being a spoiled child.

Re:Wow (1)

i kan reed (749298) | about a year ago | (#43655617)

You know, it really helps a debate when every single point you make is followed by telling the readers they're idiots. It just drives home the fact that a smarter person wouldn't be reading your post.

not the real Michael Kristopeit (-1)

Anonymous Coward | about a year ago | (#43656305)

why do you cower? what are you afraid of?
you're an idiot.
you're completely pathetic

Re:Wow (0)

Anonymous Coward | about a year ago | (#43655639)

Keep on burning coal then, cause that windmill will never make you enough energy.

Re:Wow (3, Funny)

colinrichardday (768814) | about a year ago | (#43656441)

We don't blindly hate Microsoft; we've seen it all too much.

Re:Wow (2)

solkanar (946999) | about a year ago | (#43655277)

Yea, the doctor could have known.

Re:Wow (2)

colinrichardday (768814) | about a year ago | (#43656451)

Time travel has its advantages.

Re:Wow (1)

interkin3tic (1469267) | about a year ago | (#43656203)

Evidently people who work on nuclear weapons... so...

Re:Wow (1)

interkin3tic (1469267) | about a year ago | (#43656229)

I mean, "Evidently NOT people who work on nuclear weapons." It would have been right, but my browser (IE 6) messed up posting. I'm embarrassed. Fortunately, it sounds like I won't have to live with my shame for very long.

Somebody in the government... (2)

Kildjean (871084) | about a year ago | (#43655083)

Just lost their job... The same idiot that insisted in "lets make all our content only available through IE"...

Re:Somebody in the government... (1)

Anonymous Coward | about a year ago | (#43655159)

You clearly have never worked for the government. The bozos decisions will still have their jobs, but underling fall guys who recommended against it but had no choice but to do what they were told will become unemployed.

Re:Somebody in the government... (1)

Kildjean (871084) | about a year ago | (#43655245)

I actually work for the government, they just dont listen to the think tanks that tell them, "Nooooooooooooooooooooooo! Dont do that" and they just go ahead and do it anyways.

Re:Somebody in the government... (1)

Lumpy (12016) | about a year ago | (#43655873)

I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

The entire top 3 levels of management in a government agency has a lower IQ than a small salad bar.

Re:Somebody in the government... (0)

Anonymous Coward | about a year ago | (#43656217)

I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

The entire top 3 levels of management in a government agency has a lower IQ than a small salad bar.

Now now, you're making them sound just like private enterprise.

Re:Somebody in the government... (4, Insightful)

gstoddart (321705) | about a year ago | (#43656839)

I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

It's often referred to as the Peter Principle [wikipedia.org] , and I assure you, the exact same thing happens in private industry all of the time.

It's not unique to governments.

Re:Somebody in the government... (1)

Anonymous Coward | about a year ago | (#43657201)

I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

It's often referred to as the Peter Principle [wikipedia.org] , and I assure you, the exact same thing happens in private industry all of the time.

It's not unique to governments.

It's not unique to governments, but governments tend to have low-turnover positions meaning once someone has risen to the level of their own incompetence, they stay there for 20 years until they retire. At least in for-profit corporations, business cycles every 5-7 years allow for "justified downsizing" which is really just trimming (some of) the idiots. Downsizing in government is far less frequent.

Re:Somebody in the government... (3, Insightful)

rabbit994 (686936) | about a year ago | (#43655297)

I want whatever you are smoking. No one will lose their job over this because A) It's a government worker B) MIcrosoft is like IBM in government, no one gets fired for picking it.

Re:Somebody in the government... (1)

Bugler412 (2610815) | about a year ago | (#43656209)

In government, that's what outside contractors are for, to blame!

Re:Somebody in the government... (1)

D1G1T (1136467) | about a year ago | (#43656353)

B) MIcrosoft is like IBM in government, no one gets fired for picking it.

Security specialists should be.

Would you Like to Play a Game ? (2, Funny)

Anonymous Coward | about a year ago | (#43655089)

How about Global ThermoNuclear War..

Re:Would you Like to Play a Game ? (4, Funny)

Hsien-Ko (1090623) | about a year ago | (#43655149)

Powered by Internet Exploder!

Re:Would you Like to Play a Game ? (1)

sethradio (2603921) | about a year ago | (#43655285)

HAHA!

Hold Microsoft Responsible (5, Insightful)

Murdoch5 (1563847) | about a year ago | (#43655095)

If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible. If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible. So shouldn't company's who release buggy software be held responsible for damages and compensation?

Re:Hold Microsoft Responsible (5, Insightful)

Anonymous Coward | about a year ago | (#43655161)

No. This was not gross negligence. This was not a bug that would affect anyone under conditions remotely close to normal. This is something that is being actively exploited by someone (the criminal in this case) in a way never intended by the programmers. It'd be like suing the people who made the bullets used in the Sandy Hook massacre. Not only that, they probably agreed when they installed the software not to hold the software company responsible for anything. The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.

Re:Hold Microsoft Responsible (1)

Anonymous Coward | about a year ago | (#43655253)

The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.

It's an interesting theory. How much is enough?

Re:Hold Microsoft Responsible (5, Insightful)

Onymous Coward (97719) | about a year ago | (#43655689)

Yeah, that's the problem with a truly free market. Consumers are stupid and inattentive, corporations are clever and evasive.

If every consumer were Ralph Nader I'd be a free market zealot. As that's not the case we have to find a different way to assure corporations behave themselves.

Re:Hold Microsoft Responsible (0)

interkin3tic (1469267) | about a year ago | (#43656345)

If every consumer were Ralph Nader, then George W Bush would be king for life.

(I kid, I kid, please don't get butthurt, nader supporters)

Re: Hold Microsoft Responsible (1)

Gilmoure (18428) | about a year ago | (#43655571)

What color is the sky where you live?

Re: Hold Microsoft Responsible (1)

Lumpy (12016) | about a year ago | (#43655993)

Orange with a hint of Pepsi...

Re:Hold Microsoft Responsible (4, Insightful)

bill_mcgonigle (4333) | about a year ago | (#43655363)

If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible

And if you discover that software bug and issue fixes and notices and your customers fail to implement the fix, is it still your fault?

This one ... OK, this makes me a little twitchy ... isn't Microsoft's fault.

It's 2013. Why are they still running IE8 for anything where security is a concern? Windows 7 has been out for 4 years and IE9 for 2. IE10 is out, and two months should be enough to do a patch deployment, but even if it's borderline, by most accounts IE9/10 are not the horrible bags of garbage that the old versions were.

Who is not doing patch management? Who is allowing XP machines near critical systems? Who chose IE8 over Firefox when that decision was made? Did somebody specify an IE6-only solution prior to that, ignoring standards and best practices, leading to a chain reaction of a mess? Who is not cleaning that up?

Answer those questions and you'll find those responsible for today's vulnerable IT landscape.

And, of course the primary responsibility lies with those coordinating the attacks. But we know those people are out there. If a clerk forgets to close up the store at night and goes home with the front door open, it's not that he is responsible for the burglars' actions, but he's also not doing his job and won't be working there the next day.

</ick>

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43655495)

The medical place I work at runs the level of Windows and the version of Internet Explorer because that's what the main software we use requires.

Re:Hold Microsoft Responsible (5, Interesting)

Cenan (1892902) | about a year ago | (#43655781)

Exactly this.
Some of us are stuck with legacy systems, built with legacy tools and the original developers are long, long gone. While we try to unwind the horrible spaghetti mess that is our core business software, we have to make due with Win-XP VMs and all sorts of neat tricks to keep the rickety shit from collapsing in on itself.

(Incidently, if any of you reading this worked at Borland/Inprise in the late nineties: hello how ar... FUCK YOU! and fuck your ridiculous fucking desktop database fucking crap. You fucking morons have no fucking clue how to nail a board onto another board, and you should all be lined up and punched in the dick. /rant)

Re:Hold Microsoft Responsible (4, Informative)

Lumpy (12016) | about a year ago | (#43656037)

Then your legacy system is severed from any public lan. your security goes up by 600% if you remove it from having the ability to do ANYTHING but what it is needed for. No you cant email. No you cant surf. No network access. you can only use a SANATIZED USB drive to copy the files needed off of the unit.

Not hard to keep them hacker proof if the IT and ITS departments know what they are doing.

Re:Hold Microsoft Responsible (1)

NatasRevol (731260) | about a year ago | (#43656339)

Unless the business demands it be on a public lan.

Then what?

Re:Hold Microsoft Responsible (1)

Anonymous Coward | about a year ago | (#43656437)

If it's medical? Call up and report them for a HIPPA violation.
If it's a municipality? Document it and deliver a nice anonymous tip to the local news how the supervisors there are risking the public with their incompetence.. News LOVES that kind of story.

You have a lot of options, Public humiliation tends to get the fastest results.

Re:Hold Microsoft Responsible (1)

NatasRevol (731260) | about a year ago | (#43656457)

Well, that covers everything.

Re:Hold Microsoft Responsible (1)

Cenan (1892902) | about a year ago | (#43656689)

Right, that about does it. Report anyone using anything short of the latest version of anything for a violation of being stupid without a license. Problem solved, more along. You will of course not mind us shutting down your life support sir! why you see it's running a version of the firmware we simply cannot tolerate in this, our perfect utopia. Shut the fuck up, armchair warrior.

Re:Hold Microsoft Responsible (3, Insightful)

jeffmeden (135043) | about a year ago | (#43657247)

If it's a municipality? Document it and deliver a nice anonymous tip to the local news how the supervisors there are risking the public with their incompetence.. News LOVES that kind of story.

You have a lot of options, Public humiliation tends to get the fastest results.

Hello, channel 5? Yes, I want to report that the administrators in Washington Township decided to take a computer running Internet Explorer 8, and connect it to the PUBLIC INTERNET! Can you believe the incompe-- Yes, I will hold. Hello?

Re:Hold Microsoft Responsible (1)

Cenan (1892902) | about a year ago | (#43656613)

Then your legacy system is severed from any public lan.

No they most definately are not. This whole article would never be up there unless that was decidedly NOT the case.

Re:Hold Microsoft Responsible (1)

bill_mcgonigle (4333) | about a year ago | (#43656087)

we have to make due with Win-XP VMs

But do you let those VM's go out and play on the global Internet (or even a non-isolated LAN)? By the clueful tone of your post, I'm guessing not. Yes, legacy systems suck, but they can't last forever so competent management has a plan to replace them, especially if they're rickety, and competent IT has a plan to protect/isolate them.

BTW, *epic* rant.

Re:Hold Microsoft Responsible (1)

Cenan (1892902) | about a year ago | (#43656987)

Yes, legacy systems suck, but they can't last forever so competent management has a plan to replace them, especially if they're rickety, and competent IT has a plan to protect/isolate them.

Unfortunately for the rest of us, "not forever" is a long, long time - just shy of forever. Legacy systems last however long the business can derive a profit from running them. Including the profit of sacking anyone not absolutely vital/related in the development department, then renaming it to IT (cause that's business'y). On the bright side, the learning experience of it all far outweighs any that could be had in any of the run-of-the-mill dev shop around here.

BTW, *epic* rant.

Thank you. That one has boiled for many, many a working day.

Re:Hold Microsoft Responsible (0)

Murdoch5 (1563847) | about a year ago | (#43655603)

They could be running Windows 3.1 and IE 1.0 and it shouldn't matter. If a bug is found 20 years after your software is released then there is still a bug and you should still offer a patch. I hate when software company's issue the "It's out of service and support", basically you don't want to take responsibility for the fact you might have buggy software floating around.

Re:Hold Microsoft Responsible (2)

bill_mcgonigle (4333) | about a year ago | (#43656003)

If a bug is found 20 years after your software is released then there is still a bug and you should still offer a patch.

Forever, for free? Or are you planning to pay $10K up front for Windows 3.1? Or $99/yr for software maintenance on it?

Re:Hold Microsoft Responsible (5, Insightful)

Murdoch5 (1563847) | about a year ago | (#43656179)

This is why open source is the best software model on the market! You find a bug and you know how to fix it, go ahead, if you can't fix it but submit a bug report your almost always guaranteed another programmer can fix it. If your company adapts a closed software model then you should offer the same level of support as open source, meaning if someone finds a bug the company offers a fix. The lifetime of the software shouldn't matter, a bug today is a bug in 30 years and should be treated the same way. Yes most people will upgrade but for the few that have no need they should still get support.

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43656347)

Also don't forget that you can always hire an unrelated programmer to fix that bug. It doesn't matter if the whole continent of the original programmer blew up. (Well, apart from the nuclear winter, of course. ;)

Re:Hold Microsoft Responsible (1)

bill_mcgonigle (4333) | about a year ago | (#43656411)

You correctly identify why the economics of open source are superior. That doesn't change the fact that most people aren't willing to pay up front for the costs of correct software.

Re:Hold Microsoft Responsible (1)

Murdoch5 (1563847) | about a year ago | (#43656505)

I think closed source company's should absorb the extra cost, it's just me but when I have option that generally provide the support I want and the releases I want then why would I pay extra. I'll pay the same, and I'm willing to pay for open source software so match the price and provide the same service. It's like an abstraction layer, I don't care how it works under the hood, I just want the face value to work the same at all times and charge me the same money in the end.

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43657319)

Forever, for free?

Car companies do it, why can't software companies? A "bug" is a design defect, plain and simple. They should not be there to begin with. And EOLing an OS that came with hardware it shipped on still runs is IMO criminal.

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43656177)

They could be running Windows 3.1 and IE 1.0 and it shouldn't matter. If a bug is found 20 years after your software is released then there is still a bug and you should still offer a patch. I hate when software company's issue the "It's out of service and support", basically you don't want to take responsibility for the fact you might have buggy software floating around.

It is painfully obvious that you do not write software for a living, open source or proprietary.

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43655921)

Why are they running...

Because the Microsoft ads always say for every release "This is the best product available" or words to that effect. And their FUD prevents anyone from choosing alternate products.

Microsoft only needs to be forced to have the following added to their "We are not responsible for anything" disclaimer: "Not for important work".

Re:Hold Microsoft Responsible (1)

h4rr4r (612664) | about a year ago | (#43655985)

IE8 is still supported. Windows 7 is just now something large companies and government are moving too. When you have hundreds of applications to verify or port it takes time.

XP is still supported as well. FireFox only gained GPO support recently and not many folks are even aware that exists.

Re:Hold Microsoft Responsible (1)

Anonymous Coward | about a year ago | (#43657081)

I work for the government. The reason they haven't updated past IE 8 is because they're only allowed to use things on a list of approved software. Unfortunately, the software list still says IE 8. Why? Because IE9/10 are incompatible with some systems we use. We either upgrade and spend millions revamping critical systems to work with the new browsers/OSs in a time where NO ONE in the government has money, or we use old programs and make ourselves slightly vulnerable. It's not an ideal system, but please don't think this is due to negligence; it's a lose lose situation.

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43655415)

If I make a medical device that has a serious software bug and goes awall

You can pick awol [urbandictionary.com] or awry [reference.com] , but "awall" isn't a word.

Re:Hold Microsoft Responsible (2)

femtobyte (710429) | about a year ago | (#43655441)

If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible.

Only if your company isn't big enough to act with virtual impunity. Who was put in jail when BP murdered twelve people and devastated the gulf coast ecosystem, in order to cut maintenance costs?

Re:Hold Microsoft Responsible (1)

gstoddart (321705) | about a year ago | (#43655485)

So shouldn't company's who release buggy software be held responsible for damages and compensation?

Well, their EULAs indemnify them from this, and courts have upheld the EULAs.

So, no, they're not really held responsible, and there is a legal framework as to why.

Software companies can do almost anything they want to, or as badly as they can get away with, and for the most part there's not a thing you can do.

Awesome, isn't it?

Re:Hold Microsoft Responsible (2)

Murdoch5 (1563847) | about a year ago | (#43655651)

I think it's BS personally, if I build a bridge and it fails I'm held responsible. If I build a electronic system that fails and it hurts someone I'm responsible. If I'm a doctor and hurt someone same deal, if I'm a programmer and someone gets hurt from me code I wipe the chips from my beard, tuck my Hawaiian shirt in and go home.

Re:Hold Microsoft Responsible (2)

RabidReindeer (2625839) | about a year ago | (#43656337)

I think it's BS personally, if I build a bridge and it fails I'm held responsible. If I build a electronic system that fails and it hurts someone I'm responsible. If I'm a doctor and hurt someone same deal, if I'm a programmer and someone gets hurt from me code I wipe the chips from my beard, tuck my Hawaiian shirt in and go home.

Well, are you willing to pay for software development costs that include developers carrying insurance the way that doctors and engineering firms do? Are you willing to spend the amount of money it takes to hire competent developers? Are you willing to wait a significant amount of time so that the software design is thoroughly vetted and tested instead of just rammed out the door?

Or do you want your Lower Prices Everyday - Git-er-Dun cheap crap?

Re:Hold Microsoft Responsible (1)

Murdoch5 (1563847) | about a year ago | (#43656459)

This is why I support open source, I want my software to work, get support, be rock solid, get review and serve the public! So do I want to spend a ton of money, no, but I will in turn just pick the better development model. If I'm not willing to go / use open source then I think I should have to swallow the costs.

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43655751)

As if bugs don't exist in most software out there. How dare Microsoft make this mistake!

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43655739)

If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible. If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible. So shouldn't company's who release buggy software be held responsible for damages and compensation?

No, they shouldn't. And it's funny you give the medical device example, as that's one of those things that you have probably never read, buried deep within a decade-old NT-era EULA that you [hit button to skip] past every time...(no seriously, go look)

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43656005)

You mention that and it reminds me of one of the IDEs for Java that had a disclaimer in the EULA about not being for use in medical devices, and a bunch of other off the wall things that I would never do in java like missile control platforms. Was that the Netbeans IDE?

Re:Hold Microsoft Responsible (1)

gmuslera (3436) | about a year ago | (#43655811)

Responsibility takes weird turns when using Microsoft products [nytimes.com] .

Re:Hold Microsoft Responsible (1)

Lumpy (12016) | about a year ago | (#43655931)

Because you agreed to it when you clicked YES on the EULA. The leagal standing of the EULA needs to be abolished.

Re:Hold Microsoft Responsible (1)

Murdoch5 (1563847) | about a year ago | (#43656121)

I agree and I believe it's currently being attempted. No user can read, remember and process all the legal BS in a EULA, it would be like asking a child to read a college textbook and write a test, some will be able to but most will fail.

Re:Hold Microsoft Responsible (1)

h4rr4r (612664) | about a year ago | (#43655949)

I think you can dump all the oil you like and get away with a slap on the wrist. Heck, senators will even apologize to you.

Re:Hold Microsoft Responsible (1)

femtobyte (710429) | about a year ago | (#43656271)

Only if you have enough oil to dump. Try pouring a quart of crude oil onto your senator's plate when he's eating at a fancy seafood restaurant, and you'll get a far less friendly response than if you dumped over two hundred million gallons on the food supply and livelihood of millions of gulf coast residents.

Re:Hold Microsoft Responsible (1)

h4rr4r (612664) | about a year ago | (#43656523)

Well that is obvious.

You have to be to big too fail/punish/obey the law.

Re:Hold Microsoft Responsible (0)

Anonymous Coward | about a year ago | (#43656385)

If you made a medical software and a hospital was using an old version that an assassin could exploit that does not exist in the updated version then the hospital should have updated long ago.

If you made a medical software that had a bug that caused it to kill people but you had put out an update and the hospital still continued to use the version with the bug the hospital should still have updated it long ago.

If you made a medical software and someone made their money exploiting it. You would put out updates constantly and still get exploited, because when making money is involved someone will find a way.

same old same old (0)

Anonymous Coward | about a year ago | (#43655141)

lets Blame the Chinese.

Re:same old same old (0)

sethradio (2603921) | about a year ago | (#43655311)

I know. They are communist, and that's bad.

What's communism? Uhhh... I don't know but it's bad.

Re:same old same old (1)

Anonymous Coward | about a year ago | (#43655733)

Here's some documentation on why it's bad.

The Black Book of Communism [harvard.edu]
 

Where are the stand alone machines? (2)

Picass0 (147474) | about a year ago | (#43655173)

It would could far less than incident analysis and cleanup to provide dedicated machines for external web use. Companies and agencies that tollerate occasional surfing should have machines that do not share the internal network.

Re:Where are the stand alone machines? (1)

sethradio (2603921) | about a year ago | (#43655347)

Why should they listen to you? You're just a dumb fourteen-year-old geek, posting on slashdot in you're basement.

Note: I'm just a fourteen-year-old geek posting to /. in my loft!!

Re:Where are the stand alone machines? (0)

Anonymous Coward | about a year ago | (#43655575)

With a six digit UID, I doubt he's 14...

Re:Where are the stand alone machines? (1)

mlts (1038732) | about a year ago | (#43655801)

Even better, why not keep the internal machines completely locked down with zero ability to connect to the Internet (and perhaps have the IDS/IPS that monitors that segment set to look for packets that are not that IP range, just to make sure.)

Then have a Citrix server (preferably on a VMWare or other hypervisor for quick snapshot rollbacks) for the Web browsers and anything that connects to the outside world directly?

This isn't rocket science, and I've seen places who used Citrix not just to keep the outside stuff out so a Web browser compromise is on an external machine, but to keep internal use applications on secure servers, and they stood extreme amounts of intrusion attempts without issue.

Microsoft has similar with App-V, but Citrix is nice because one can get receiver software on almost any platform.

Re:Where are the stand alone machines? (2)

h4rr4r (612664) | about a year ago | (#43656043)

All that stuff costs money.
People will complain the government is wasting their tax dollars if they ever tried to spend money on that.

change.org (1)

sproketboy (608031) | about a year ago | (#43655197)

We need to make a petition at change.org! Oh, I guess we only do that for Oracle.

Thanks for the help, Microsoft! (-1, Troll)

bobdehnhardt (18286) | about a year ago | (#43655211)

From the article:

Microsoft confirmed the remote code-execution vulnerability on Friday night. Versions 6, 7, 9, and 10 of the browser are immune to these attacks, so anyone who can upgrade to one of the latest two versions should do so immediately or switch to a different browser. For anyone who absolutely can not move away from IE 8, company researchers recommend the following precautions:

Helpfully, Microsoft has pulled that advisory. Going to http://technet.microsoft.com/en-us/security/advisory/2847140 [microsoft.com] gets you a 404 error message now.

Thanks, Microsoft!

Re:Thanks for the help, Microsoft! (1)

sethradio (2603921) | about a year ago | (#43655365)

It's still there.

Re:Thanks for the help, Microsoft! (0)

Anonymous Coward | about a year ago | (#43655825)

Check your connection? That link works.

Anyone remember the saying? (1, Insightful)

Anonymous Coward | about a year ago | (#43655401)

"Nobody ever got fired for picking Microsoft." The time is ripe for that being overturned.

What company ? (1)

alexhs (877055) | about a year ago | (#43655423)

a big European company operating in the aerospace, defense, and security industries

Or EADS for short. I mean, "a" ??? Is there any other ?

Re:What company ? (1)

Melkman (82959) | about a year ago | (#43655633)

Yup there are other ones. Thales also comes to mind....

Re:What company ? (1)

alexhs (877055) | about a year ago | (#43657099)

Oops, you're right. Wikipedia has a nice list [wikipedia.org] .
The given definition for aerospace manufacturer has "and/or spacecraft", while I thought the "and" was mandatory (to differentiate from "aeronautics").

If we go by the "and", this other list [wikipedia.org] leads to a shorter list of EADS, Thales and Safran (if I didn't miss one).

Where's The Java-Like Outrage? (1)

snookerdoodle (123851) | about a year ago | (#43655521)

While it seems to have died out a bit (and Oracle certainly showed little concern), there were cries from some people to remove Java from everyone's computer because of the (legitimate) exploits in applets. Am I missing something, or shouldn't the same people be calling on everyone to remove I.E. from their computers, given Microsoft's record with browser exploits?

Re:Where's The Java-Like Outrage? (2)

satuon (1822492) | about a year ago | (#43655613)

I've already removed it in favor of Chrome.

Remove IE? (1)

bussdriver (620565) | about a year ago | (#43656097)

You do know that IE can not be removed from Windows right? You do know MS was in big trouble with governments over it's bundling of IE and its LIES in court about it being impossible for them to remove?

Well, then you probably don't know about how Bush appointed MS to oversee it's own punishment after losing the court case... and that is why the problem continues unresolved...

Re:Where's The Java-Like Outrage? (2)

cavreader (1903280) | about a year ago | (#43656149)

I will let you in on a secret. There is only tiny number of wannabe IT experts who are "outraged" while everybody else saves their indignation for shit that really matters. And as far as software bugs go name one program more complicated than "Hello World" that doesn't have bugs. If you want bug free software you might as well get used to a 10 year release cycle becuase that is how long it would take to guarantee bug free software. Of course that puts a real crimp in the advancement of any actual hardware, especially processors. Anyone running highly critical applications such as utilities have all the tools, policies, and procedures necessary to secure their networks and applications. If some moron allows Internet access to their secure system than yes they should be held accountable for incompetence and fired. However you can't always rely on someone not doing something stupid. The most frequent vector used today is through phishing and spearing attacks via a persons e-mail and clever social manipulation. In the case of this exploit it compromised a Internet site that is little more than a brochure site with non-critical information. People brayed about the latest batch of script kiddies defacing the FBI and US Congress sites but that does not mean they got access into any secure systems. Outward facing websites should never be designed to allow someone into a secured network and when it is easy to configure and design such a system. But like I said you can't rely on everyone being competent.

Previously unknown? (0)

Anonymous Coward | about a year ago | (#43655623)

By you and me maybe.

plain shoddy, and v. others? (1)

Onymous Coward (97719) | about a year ago | (#43655821)

I used to see Internet Explorer as the devil, so full of holes it would result in your Windows box needing a reinstall every couple months.

I was aggressively advocating switching from IE around the apex of this [wikipedia.org] curve, and overjoyed as it plummeted.

Are my prior impression about IE being buggy and dangerous still valid? Has IE cleaned up any? I get the impression it has.

And I was pushing folks to use Firefox as the alternative. How does Firefox compare to IE now? I get the impression IE is still a bad choice for a number of reasons, but also that Firefox is itself playing a game of clean-up after bloat issues.

Basically, at this point I'll push folks to use any browser that's not dominant. Get it? Fragmented influence in browser protocols means we get standards and standards compliance instead of the nightmare incompatibilities from intentional protocol "extending" and corrupting that MS and NS were pushing in their bids for complete control.

Makes me want to go back to the 2003 Slashdot posts to identify the IE advocates so I can publicly shame them now.

How about a nice game of chess? (1)

puddingebola (2036796) | about a year ago | (#43656273)

No, how about global thermonuclear war. How about Microsoft pushes updates for Internet Explorer to XP?

Re:How about a nice game of chess? (1)

servognome (738846) | about a year ago | (#43656767)

Given the current political climate I'd prefer to try out "Theaterwide Biotoxic and Chemical Warfare"

Where'd the malicious links come from? (2)

jonathanjespersen (1162397) | about a year ago | (#43656299)

From the article:

Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy.

So in addition to the 0-day exploit found in IE, what was exploited to put malicious links on the web site?

Stop calling everything a 0-day attack! (4, Insightful)

MobyDisk (75490) | about a year ago | (#43656659)

This was a known patched vulnerability in an old version of IE. It was not a 0-day vulnerability. A 0-day vulnerability is one where there were 0 days to fix it because it was exploited before the software vendor knew about it. Stop using that term for every single headline! (Not blaming Slashdot this time - The title is straight from the arstechnica article)

Internet Explorer 8... (1)

MakerDusk (2712435) | about a year ago | (#43656721)

If you're still using internet explorer 8, you deserve this. Microsoft is almost on IE11 at this point (looks like firefox). If it shipped with Vista, why are you still using it and thinking you're safe? While you're at it, why not use Windows XP and avoid security updates as well... If you don't like 8, install 7. If your programs aren't compatible with anything later than XP... well... those will have security that's so outdated you might as well just consider the entire system a liability and get insurance for the lawsuits.

Lousy system administration (0)

Anonymous Coward | about a year ago | (#43656929)

The system administration there must be really lousy.
Normally you won't be affected by browser bugs like this.
Because your users work as an unprivileged user, not an admin.
Because you have a group policy that forbids execution of software from locations where users can write to.
Because you have a proxy or firewall that forbids users downloading software.
Because your network layout is such that compromised systems cannot connect to C&C servers.
etc.

There should be multiple layers of defense in such a system and network, and apparently there isn't.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...