Linux News
The world is talking about GNU/Linux and Free/Open Source Software

It was (again) IE from M$ that caused the 'hack-possibility'

Story: A new approach to China

Total Replies: 11

Author	Content
henke54 Jan 15, 2010 12:21 PM EDT	Quoting:"The company has determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks targeted against Google and other corporate networks," a Microsoft spokesperson told Ars. http://arstechnica.com/microsoft/news/2010/01/microsoft-warn... For this reason Google has improved security : http://gmailblog.blogspot.com/2010/01/default-https-access-f... http://www.sbmteam.com/blog/gmail-security
d0nk3y Jan 15, 2010 5:13 PM EDT	Also should be noted that the vulnerability affects IE6, 7 and the latest 8 as well. The hole has existed since the beginning of the decade at least and well before all the 'trusted computing' and 'security development' focus was implemented..
number6x Jan 15, 2010 5:50 PM EDT	Six years ago Microsoft shared its source code with the Chinese Government: http://slashdot.org/articles/03/02/28/1639216.shtml?tid=109 Even though Jim Allchin testafied before congress that revealing MS source code would be a threat to US security: http://www.eweek.com/c/a/Security/Allchin-Disclosure-May-End... ) Now, the Chinese government has been caught in a cyber attack against one of Microsoft's biggest rivals using a decade old flaw Microsoft never fixed. Is this through the looking glass or what?
tuxchick Jan 15, 2010 5:57 PM EDT	number6x, it's dizzying.
softwarejanitor Jan 15, 2010 7:14 PM EDT	The only surprising thing about it is that anyone is surprised about it.
jdixon Jan 15, 2010 7:26 PM EDT	> The only surprising thing about it is that anyone is surprised about it. By which? The decade old unpatched bug in IE, or the Chinese government using the code Microsoft released to them to attack US corporations? I'm not particularly surprised by either. Not that their using the code in this way almost certainly violates the agreement they signed with Microsoft, but there's not a whole lot Microsoft can do about it now. Hmm, maybe we'll finally see Microsoft moving off the old Windows code and using a BSD kernel for their next release after all.
gus3 Jan 15, 2010 7:44 PM EDT	Quoting:maybe we'll finally see Microsoft moving off the old Windows code and using a BSD kernel for their next release after all. Only after the Large Hadron Collider destroys the universe.
Bob_Robertson Jan 16, 2010 9:15 PM EDT	> The decade old unpatched bug in IE... As has been said in other threads in other fora, an "undiscovered vulnerability" does not exist, by definition, since it's not been discovered. ...until it is.
number6x Jan 17, 2010 3:44 PM EDT	Thanks for the correction Bob. Also, my references do not prove that Chinese hackers used the source code revealed to China to find the exploit. However because they had the source it is not beyond the realm of possibility. It's just one of those 'curioser and curioser' coincidences.
Bob_Robertson Jan 17, 2010 4:14 PM EDT	Sorry, 6, I meant it as no correction at all. What I was trying to say is that people have chided ME for using the phrase "undiscovered vulnerability". The biggest problem I have with Microsoft style "security" is that it's closed. We cannot know how many "previously undiscovered vulnerabilities" are actually problems that Microsoft knew about, but decided weren't worth fixing.
gus3 Jan 17, 2010 4:59 PM EDT	Quoting:We cannot know how many "previously undiscovered vulnerabilities" are actually problems that Microsoft knew about, but decided weren't worth fixing. It's "worth fixing" only when enough people find out about it, usually through actual damage to data integrity. In the face of Melissa/Mailissa, Code Red, Nimda, Back Orifice, SQL Slammer, Conficker/Downadup, and on and on and on, I would no more recommend M$ for anything, anywhere, than I would recommend using a lug wrench made of chewing gum.
henke54 Jan 20, 2010 9:54 AM EDT	Quoting:Yet, independent researcher Dino Dai Zovi had modified the exploit code by Monday morning to compromise Windows XP and Vista systems using Internet Explorer 7, he said. He expected to succeed in exploiting the same vulnerability on Internet Explorer 8 and Windows XP systems, he added. http://www.securityfocus.com/brief/1064

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!