It was (again) IE from M$ that caused the 'hack-possibility'

Story: A new approach to ChinaTotal Replies: 11
Author Content
henke54

Jan 15, 2010
12:21 PM EDT
Quoting:"The company has determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks targeted against Google and other corporate networks," a Microsoft spokesperson told Ars.
http://arstechnica.com/microsoft/news/2010/01/microsoft-warn...

For this reason Google has improved security : http://gmailblog.blogspot.com/2010/01/default-https-access-f... http://www.sbmteam.com/blog/gmail-security
d0nk3y

Jan 15, 2010
5:13 PM EDT
Also should be noted that the vulnerability affects IE6, 7 and the latest 8 as well.

The hole has existed since the beginning of the decade at least and well before all the 'trusted computing' and 'security development' focus was implemented..
number6x

Jan 15, 2010
5:50 PM EDT
Six years ago Microsoft shared its source code with the Chinese Government: http://slashdot.org/articles/03/02/28/1639216.shtml?tid=109

Even though Jim Allchin testafied before congress that revealing MS source code would be a threat to US security: http://www.eweek.com/c/a/Security/Allchin-Disclosure-May-End... )

Now, the Chinese government has been caught in a cyber attack against one of Microsoft's biggest rivals using a decade old flaw Microsoft never fixed.

Is this through the looking glass or what?
tuxchick

Jan 15, 2010
5:57 PM EDT
number6x, it's dizzying.
softwarejanitor

Jan 15, 2010
7:14 PM EDT
The only surprising thing about it is that anyone is surprised about it.
jdixon

Jan 15, 2010
7:26 PM EDT
> The only surprising thing about it is that anyone is surprised about it.

By which? The decade old unpatched bug in IE, or the Chinese government using the code Microsoft released to them to attack US corporations? I'm not particularly surprised by either.

Not that their using the code in this way almost certainly violates the agreement they signed with Microsoft, but there's not a whole lot Microsoft can do about it now.

Hmm, maybe we'll finally see Microsoft moving off the old Windows code and using a BSD kernel for their next release after all.
gus3

Jan 15, 2010
7:44 PM EDT
Quoting:maybe we'll finally see Microsoft moving off the old Windows code and using a BSD kernel for their next release after all.
Only after the Large Hadron Collider destroys the universe.
Bob_Robertson

Jan 16, 2010
9:15 PM EDT
> The decade old unpatched bug in IE...

As has been said in other threads in other fora, an "undiscovered vulnerability" does not exist, by definition, since it's not been discovered.

...until it is.
number6x

Jan 17, 2010
3:44 PM EDT
Thanks for the correction Bob. Also, my references do not prove that Chinese hackers used the source code revealed to China to find the exploit. However because they had the source it is not beyond the realm of possibility.

It's just one of those 'curioser and curioser' coincidences.
Bob_Robertson

Jan 17, 2010
4:14 PM EDT
Sorry, 6, I meant it as no correction at all.

What I was trying to say is that people have chided ME for using the phrase "undiscovered vulnerability".

The biggest problem I have with Microsoft style "security" is that it's closed. We cannot know how many "previously undiscovered vulnerabilities" are actually problems that Microsoft knew about, but decided weren't worth fixing.
gus3

Jan 17, 2010
4:59 PM EDT
Quoting:We cannot know how many "previously undiscovered vulnerabilities" are actually problems that Microsoft knew about, but decided weren't worth fixing.
It's "worth fixing" only when enough people find out about it, usually through actual damage to data integrity.

In the face of Melissa/Mailissa, Code Red, Nimda, Back Orifice, SQL Slammer, Conficker/Downadup, and on and on and on, I would no more recommend M$ for anything, anywhere, than I would recommend using a lug wrench made of chewing gum.
henke54

Jan 20, 2010
9:54 AM EDT
Quoting:Yet, independent researcher Dino Dai Zovi had modified the exploit code by Monday morning to compromise Windows XP and Vista systems using Internet Explorer 7, he said. He expected to succeed in exploiting the same vulnerability on Internet Explorer 8 and Windows XP systems, he added.
http://www.securityfocus.com/brief/1064

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!