Feeds

back to article Microsoft plasters IE8 hole abused in nuke lab PC meltdown

Microsoft has issued a temporary fix for a high-profile Internet Explorer 8 vulnerability. This is the bug linked to recent targeted attacks against web pages accessed by nuclear weapons research teams at the US Department of Labor website. The Fix It, released late on Wednesday, is designed to offer a temporary block against …

COMMENTS

This topic is closed for new posts.

This post has been deleted by a moderator

Anonymous Coward

Re: MS Windows in high security organisations is a recipe for disaster.

Eadon your right again as ever.

I'll use a 4 year old browser and Linux from 2001 and will never have to patch it ever, no really, I'm using your logic. Because it's so secure I will never , ever, have to patch it.

4
7
Bronze badge

Re: MS Windows in high security organisations is a recipe for disaster.

Yes Eadon, we all believe your rhetoric. No malware can ever cause the downfall of your beloved Linux....

... hang on I am sure I read... yes there it is! Cdorked!

2
7
Anonymous Coward

Re: MS Windows in high security organisations is a recipe for disaster.

"Linux (which is architecturally highly secure and easily hardened), is available and for no cost and a lower TCO."

Liinux is just a kernel. Not much browser ability there, huh?

2
4
Silver badge

Re: Quick Eadon!

We need your input on this thread: http://forums.theregister.co.uk/forum/1/2013/05/08/cdorked_latest_details/

Funny, you're normally so quick to post on any story that's linux related...

3
2
Anonymous Coward

Re: 4 year old browser and Linux from 2001

Yeah, Eadon is a flaming PITA. But, and I say this as a confirmed *softie, in this instance he's right. People doing nuclear weapons research should not be on Windows system running IE8.

Oh, I understand all the practical reasons behind it because I'm working at a government facility that requires we use IE8 and an outdated and no longer supported version of Java for certain mission critical web based apps. But that doesn't mean the real problem isn't some up-chain schmuck who really needs to remove his/her entire upper torso from his/her nether regions.

4
0
Silver badge
FAIL

Re: Quick Eadon!

Please stop spreading this FUD!

For one, they don't even know how the malware is installed, and given the relative small number of sites, it it believed each one was hacked manually.

One reason is that you can't simply go changing the apache binary the way they did, unless the one doing it had root rights.

1
0
Bronze badge

Re: MS Windows in high security organisations is a recipe for disaster.

It's a pity that no other OS exists than Linux.

Pity some folks couldn't create something and, oh, call it *BSD. Or Solaris.

Or even stay a browser version back.

It's *ALL* about the OS and one's enthusiasm.

Dude, I run Linux boxes, Solaris boxes, *BSD boxes, Windows messes.

The reality of the world is, the world overall uses Windows.

Get over it.

I have. Indeed, it's been job security for me.

1
0
Bronze badge

Re: Quick Eadon!

Please stop spreading this FUD!

What FUD? Are you saying it hasn't happened?

For one, they don't even know how the malware is installed, and given the relative small number of sites, it it believed each one was hacked manually.

Ahh no you realise it has happened, so that makes your first statement a barefaced lie. As for how it got their, the fact that they don't know should worry you more than making up how they "think" it got there.

One reason is that you can't simply go changing the apache binary the way they did, unless the one doing it had root rights.

Then how did they get the root rights? You have still not explained this? Was it an exploit, manually done from the site, brute forced? No one has answered this yet you wave it around like fact.

0
1
FAIL

I'm tired of this typical MSFT marketing crap.

From the voice of the monopolist: "Customers should apply the Fix It or follow the workarounds listed in the advisory to help protect against the known attacks while we continue working on a security update"

...or use a different browser.

8
5
Anonymous Coward

Re: I'm tired of this typical MSFT marketing crap.

"...or use a different browser."

A different browser like Chrome and Firefox?

Maybe you need to read the Secunia 2012 Vulnerability Review. Out of the 50 most used programs (including Windows), Google Chrome and Mozilla Firefox were in first and second place for programs with the most vulnerabilities. And most of these vulnerabilities were rated by Secunia as either 'Highly critical' (78.8%) or 'Extremely critical' (5.3%).

http://secunia.com/vulnerability-review/vulnerability_update_top50.html

2
4
Anonymous Coward

Re: AC, 12:31

Shhhh, the freetards are venting! The last thing they need is facts!!

1
5
FAIL

AstroTurfing Alert

Is 'AC' a psuedonym for Microsoft Employee of the Month?

That report is old. I also noticed the results from CanSecWest 2 months ago - another MSFT FAIL!

3
2
Anonymous Coward

Re: AstroTurfing Alert

"Is 'AC' a psuedonym for Microsoft Employee of the Month?

That report is old. I also noticed the results from CanSecWest 2 months ago - another MSFT FAIL!"

Hmm. Accuses ACs of being shills. Ends posts with "FAIL!" Why not just call yourself Lamb Chop and see whether anyone gets it?

0
4
Silver badge
Devil

HERP DERP I have muh statistics!

> Google Chrome and Mozilla Firefox were in first and second place for programs with the most vulnerabilities

Dontcha mean the most disclosed or discovered vulnerabilities?

Why anyone still goes near a browser from MiSFiT is a mystery. Maybe because it comes with free Silverlight?

3
1
Silver badge

Re: I'm tired of this typical MSFT marketing crap.

If you don't know the root cause of the exploit, it might not be sufficient to be using a different browser so long as IE8 is installed. This is the huge technical mistake MS made in their legal anti-trust fuster cluck all those years ago: the IE components are still part of the OS and therefore accessible to other apps even if you aren't actively using them. I'm assuming the other versions aren't vulnerable because they've replaced the vulnerable files as opposed to some other improvement (like sandboxing) in the browser itself.

1
0
Bronze badge

Re: AC, 12:31

"Shhhh, the freetards are venting! The last thing they need is facts!!"

ROFLMAO!

I've long said, the world is lousy with sinners and sparse on saints.

Such as run <platform not Windows> and browser, ignoring the living hell out of browsers are lousy overall for security overall and loaded with security bugs...

Run <platform not Windows> anyway. It fixes the bugs of something outside of its damned platform by magic!

0
1
Bronze badge

Re: AstroTurfing Alert

So, the OS fixes all BROWSER fails?

No, it doesn't. It merely shifts the target slightly.

The most prevalent platform gets the tonnage of hits.

Indeed, I recall a recent attack that was incredibly well documented, which is ignored by the non-M$ platform community of vagrants.

Want a hint? Apply for a job and tell me that Linux or *BSD is the cure, you'll go without employment, as would a M$ platform evangelist. I look for a bit of common sense and *real* knowledge before someone gets a position.

0
2
Bronze badge

Re: HERP DERP I have muh statistics!

"Why anyone still goes near a browser from MiSFiT is a mystery. Maybe because it comes with free Silverlight?"

Or, it comes with the most used OS on the planet, like it or not.

Had someone fired for using a server to read his webmail once, after I walked in on him doing so.

OK, he wasn't fired, he was transferred to someplace unpleasant called Iraq.

0
3
Bronze badge
Linux

Typical MS behaviour.

They create their own hell.

Had they decoupled IE from the rest of the OS (A restriction which is largely artificial) XP Laggards could just deploy IE9 and MS would have to only maintain a single version of IE. (The latest one.)

5
2
Anonymous Coward

Re: Typical MS behaviour.

"MS would have to only maintain a single version of IE. "

Wow thank you for your enlightenment.

Thank god the whole world is running on the very latest version of FF, Chrome, Iron and Opera, on the very latest version of <insert any os>, that way they don't have to maintain the older versions and check for backward compatibilty.

1
5
Anonymous Coward

Re: Typical MS behaviour.

"XP Laggards could just deploy IE9 and MS would have to only maintain a single version of IE"

Think you'll find 10 is the latest with 11 in progress. But still, lets not let a rant get in the way of facts.

0
2
Devil

Re: Typical MS behaviour.

By not updating IE for XP, it's another "Cricket bat around the head" to move users away from XP and spend more money on WIN 8.

2
0
Anonymous Coward

Re: Typical MS behaviour.

I don't think he said it was the latest version did he.

The point I think being made was that MS artificially blocked IE9 from being installed on XP to force users to go to Windows 7 - the fact that the latest version is now IE10/11 is irrelevant (as IE9 does not have the vulnerability). So it was an MS decision to limit XP users to IE8 that is causing a problem - as XP users cannot just upgrade to IE9. Result - more XP users move to Chrome/FF etc as IE8 becomes more vulnerable (and this will happen more and more in the future).

MS need to realise that people wont (and didn't) upgrade an OS just to get a updated browser - they are (and were) more likely to use a different browser completely.

4
0
Anonymous Coward

Re: MS artificially blocked IE9 from being installed on XP

yeah, and windows 95 and ME! Bastards! They should obviously support all old versions of windows and ie so we can then moan on about how out of date and insecure their products are...

0
2
Anonymous Coward

Re: MS artificially blocked IE9 from being installed on XP

no, man we too busy moaning about how out of date and insecure their current products are :)

can't you distinguish between a genuine reason for a software instance not running on a system, and an artificially created reason?

0
1

Re: MS artificially blocked IE9 from being installed on XP

The difference is that Windows ME and 95 are not in support with Microsoft anymore and haven't been for years, where as XP was still being sold on new PCs up until late 2009 and is still receiving security updates until next April, yet they chose not to back port IE9 or later versions of IE to XP in the naive belief that people would go out any buy Windows 7 to get a new browser and not just download FF, Chrome, Opera etc which all of which their latest versions still work on XP.

2
0
Silver badge

Re: A restriction which is largely artificial

Yes, it is largely artificial. But it is legally binding. Which is of course the bitch when you game the legal system.

0
0
Silver badge

Re: force users to go to Windows 7

Actually it was Vista. I'll grant you Vista was nearly as bad as ME and therefore people like to forget about it, but we shouldn't forget about it.

1
0
Bronze badge

Re: Typical MS behaviour.

True! Why bother educating developers, we can simply shift OS and all is good.

Save, that reality reads otherwise.

But, hyperbole and platform evangelism is true, factual reports are not.

Well, on the planet Stupidia, in the Morania cluster...

0
2
Bronze badge

Re: force users to go to Windows 7

"Actually it was Vista."

Funny, her at home, I have two Vista machines. Each, equally poorly behaved.

I *really need* to get them upgraded to 7.

8 is totally off. Go to that, might as well upgrade to Solaris. ;)

0
0
Silver badge

When will they get around to fixing that WPAD flaw in IE that leaves user open to attack?

1
0
Silver badge
Meh

MS Fail?

Sounds more like security at the organization failed.

1
0
Bronze badge

Re: MS Fail?

"Sounds more like security at the organization failed."

Only on days that end in "y" in English... :/

Still, it's job security!

0
0
Bronze badge
Mushroom

"When will they get around to fixing that WPAD flaw in IE that leaves user open to attack?"

Back in 2007: http://technet.microsoft.com/en-us/security/advisory/945713

1
3
Silver badge

If you had seen my previous posts then you would have realised that I was not actually referring to that issue. I suppose I should have been more specific though.

1
0
Silver badge

http://forums.theregister.co.uk/forum/1/2013/04/21/Vimes_Serious_WPAD_flaw_in_IE/

1
0
Silver badge

No mention of IE either in that article you linked to by the way. Did you just search for WPAD but not pay attention to the rest?

1
0
Boffin

WPAD

WPAD exposes every Windows PC in the UK to the risk of browser hijack by the Brazilian owner of the wpad.co.uk domain.

That security flaw is now enabled by *default*.

Its a yawning, gaping,chasm of a security flaw and it is now enabled by default for most Windows PC users in the UK.

1
0

More info here

WPAD: The Internet Explorer Security Flaw that Threatens all UK Microsoft Users

https://nodpi.org/2013/05/09/wpad-the-internet-explorer-security-flaw-that-exposes-all-microsoft-users-in-the-uk/

1
0
Bronze badge

Re: More info here

"WPAD: The Internet Explorer Security Flaw that Threatens all UK Microsoft Users

https://nodpi.org/2013/05/09/wpad-the-internet-explorer-security-flaw-that-exposes-all-microsoft-users-in-the-uk/"

Funny, I recall that best practices is to remove automatic proxy nonsense from the configuration. It is, here in the US and occasionally observed in corporate environments. Hell, even government environments.

Is it *that* hard?

0
2
Boffin

Re: More info here

Its not hard at all, once you're aware.

The problem is the flaw is enabled by default and most people are unaware.

0
0
This topic is closed for new posts.