IE bug used in Chinese attacks on Google

[Dan Grossman]

While investigating the recent attacks disclosed by Google earlier this week, Microsoft has concluded that Internet Explorer was used as an attack vector. As a result, the software giant has issued a security advisory for the vulnerability.

http://arstechnica.com/microsoft/new...le-attacks.ars

http://www.microsoft.com/technet/sec...ry/979352.mspx

[raena]

Oh wow. Good find, Dan!

Seems there was some prior hooey, now disproven, about it possibly being PDF as well.

[stonedeft]

Another item added on my the reasons I hate IE6 list

[SpacePhoenix]

Another item added on my the reasons I hate IE6 list

From what I've read it also affects IE7 and IE8

[Dan Grossman]

This is a bug in almost all of 'em, yeah. That's why the German government recommended nobody use Internet Explorer at all until Microsoft patches it.

[raena]

Australian government says no way Jose: Govt issues IE security warning

[felgall]

According to one news report I saw, Microsoft themselves are now recommending that everyone change the security settings for the internet to HIGH if they are using Internet Explorer 6. That effectively disables all scripting capability in the browser if you follow their instructions. Their alternative suggestion for those who don't want to do that is to upgrade to IE8.

[stonedeft]

According to one news report I saw, Microsoft themselves are now recommending that everyone change the security settings for the internet to HIGH if they are using Internet Explorer 6. That effectively disables all scripting capability in the browser if you follow their instructions. Their alternative suggestion for those who don't want to do that is to upgrade to IE8.

Why can't they just advice the public not use this crappy browser

[JeffWalden]

Why can't they just advice the public not use this crappy browser

Because this browser is still installed on the majority of corporate workstations.

[cheesedude]

France warned against using IE, too. That's something I knew 5.5 years ago when I started using Firefox.

[Dr John]

So first you have to be using the IE browser with the security setting set to lower than recommended.

And then you have to receive an email directing you to some specific website that has been specially coded by a hacker.

Then you have to believe the email and go there.

Then you have to click on something on the site, usually to install some dodgy software.

And that creates a security risk.



Me? I just ignore random recommendations to visit websites that come through unsolicited email. Much easier than changing my browser (which just happens to be Firefox anyway, and has been for many years).

BUT ALSO

A couple of years ago, the code for Firefox was found to contain a group of weaknesses that had been in it since it was first built and was in every release for several years, and had been in netscape for a few years before that as well. The governments didn't scream dump Firefox, we just waited until the next update came along and took it. Which is exactly what IE users should do.

Panic reactions from governments are usually not worth listening to.

I remember many years ago, when first a vet died in a very careless accident, then his lover (not his wife) committed suicide using the same drug that he got injected with, and the UK government immediately banned it's use. It took six months for the vets to convince them that everyone already knew it was dangerous (very, very dangerous) and that the original accident had broken every safety rule recommended by the drug manufacturer, and to get its use allowed again (it was the stuff you see them use to sedate elephants in those wildlife programs).

Now here we have another government or two panicking and trying to impress voters into thinking that they are looking after them.

Just remember, if Firefox every becomes THE dominant browser, it will be the one that hackers examine for weaknesses and exploit. Will the governments then scream drop Firefox, use IE instead?

[AlexDawson]

Dr John, you aren't wrong (hey that rhymes!). Whenever the press or government gets their greedy uneducated paws on something technology related it gets blown out of proportion. Just look at virus reports, every now and again the press will get wind of a computer virus and act like the Y2K bug has come back with a vengeance. Though I am rather pleased (secretly) that everyone is telling everyone else to upgrade or dump Internet Explorer... perhaps this shake up is exactly what government organisations need to get rid of their deprecated elderly copies of IE6. After all, besides corporations it's government institutions who are the worst for having outdated exploit ridden copies of web browsers. Perhaps we should be helping to escalate the fear-mongoring if only to try and wipe out IE6 using it's own current negative publicity. I know it probably isn't a good idea but it might finally do something to shift IE6 out of our way.

[SpacePhoenix]

I don't think that many companies will switch away from IE6 as a result. Some may have web apps that only work in IE6 and it would cost x to update them or y to replace them, they might decided that it's just cheaper to severely restrict the access of their employees to the Internet.

[AlexDawson]

True SpacePhoenix, why is why I aimed this at government level, their among the worst offenders and perhaps this news (along with their advice) will make them consider spending to ensure the security of their data. It's rather disconcerting that sensitive data is being read and written on IE6 based machines.

[Dorsey]

On any subject about which I know more than the average person, the government and mainstream media always get it wrong. Here we go again.

The media have a long history of taking a story, distorting or ignoring facts (see Dr. John's comments above), and then drawing conclusions that "sell papers". Politicians simply want to get their names and faces into the media so they feed the frenzy, especially against any large corporation. I'm surprised that some U.S. politician isn't calling for a federal ban on IE6 ostensibly to "save the children", which is always a winner.

At least when a movie, TV program, or made-for-TV movie dramatizes something to gain an audience, the warning: "based on a true story" is displayed. The screen version ultimately bears little resemblance to the story upon which it's based, especially the conclusion. In this case, the basis of a fantastic story is an avoidable bug in IE6. The rest of the story is a worldwide shutdown of the Internet with people's financial and personal data at risk, children's safety being compromised, satellites going out of orbit, melting of the polar icecaps, and all the rest. Had one courageous programmer simply fought the mighty Microsoft machine and "done the right thing", all of this death and destruction could have been avoided.

[bobharpista]

I still don't know why most people use IE.

[JeffWalden]

I still don't know why most people use IE.

Because it's been the default browser for so long - it's all they know.

[Brooger]

Lots of errors in IE

[Dr John]

Out Of Synch patch now available for this problem
http://www.pcadvisor.co.uk/news/inde...newsid=3210703

[mkoenig]

You mean some people are still using that thing?

[robbin.joe]

IE is so terrible browser!!!
never use it!

[r937]

I still don't know why most people use IE.

i'll tell you why some of us use it -- because we like it

IE is an awesome browser and firefox is "a piece of junk"

[Aleksejs]

And it goes on:
http://www.darkreading.com/vulnerabi...67&cid=RSSfeed

[Shaun(OfTheDead)]

So first you have to be using the IE browser with the security setting set to lower than recommended.

And then you have to receive an email directing you to some specific website that has been specially coded by a hacker.

Then you have to believe the email and go there.

Then you have to click on something on the site, usually to install some dodgy software.

And that creates a security risk.



Me? I just ignore random recommendations to visit websites that come through unsolicited email. Much easier than changing my browser (which just happens to be Firefox anyway, and has been for many years).

BUT ALSO

A couple of years ago, the code for Firefox was found to contain a group of weaknesses that had been in it since it was first built and was in every release for several years, and had been in netscape for a few years before that as well. The governments didn't scream dump Firefox, we just waited until the next update came along and took it. Which is exactly what IE users should do.

Panic reactions from governments are usually not worth listening to.

I remember many years ago, when first a vet died in a very careless accident, then his lover (not his wife) committed suicide using the same drug that he got injected with, and the UK government immediately banned it's use. It took six months for the vets to convince them that everyone already knew it was dangerous (very, very dangerous) and that the original accident had broken every safety rule recommended by the drug manufacturer, and to get its use allowed again (it was the stuff you see them use to sedate elephants in those wildlife programs).

Now here we have another government or two panicking and trying to impress voters into thinking that they are looking after them.

Just remember, if Firefox every becomes THE dominant browser, it will be the one that hackers examine for weaknesses and exploit. Will the governments then scream drop Firefox, use IE instead?

[felgall]

Presumably since Microsoft released a patch for IE8 as well as IE6 the issue was in fact at least potentially with all versions of IE.

One of the biggest problems with IE is that it doesn't provide the same level of control on what is and isn't enabled in the browser as other browsers do - possibly because it is still tied too closely into the operating system.