back to article IE 0day accidentally leaked to Chinese hackers

Details concerning a potentially serious security vulnerability in fully patched versions of Microsoft's Internet Explorer have been leaked to people in China, a researcher warned over the weekend. Michal Zalewski, a security researcher at Google, blogged that data concerning at least one “clearly exploitable crash” in the …

COMMENTS

This topic is closed for new posts.
  1. Tom Chiverton 1
    FAIL

    Umm

    'accidentally leaked' ? ITYM 'also discovered by'.

  2. Destroy All Monsters Silver badge
    Badgers

    I accidentally the whole server!

    Proposal:

    "accidentally been indexed by Google" == "googlexed"

  3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    The 0day wasn't leaked *to* the Chinese

    If you read the original blog post you'll see that Zalewski isn't saying that they accidentally leaked the data to the Chinese but that a Chinese IP address accessed Zalewski's website having used some Google search terms that suggest very heavily that they (the Chinese IP address) already knew about the vulnerability and were looking to see if anyone else knew about it.

    The Chinese (allegedly) appear to have leaked the fact that they already knew about this 0day, which is interesting.

  5. Anonymous Coward
    Joke

    Time flies like an arrow,

    Steve Ballmer likes a Toupée.

  6. Tom 35

    sitting on a web server

    What, they just hoped no one would find it?

    MS knew about it for ages, but sat on it. Now they can wait and see if it gets used, then maybe fix it after a few more months.

    Must be one of the hard to fix bugs because it's commingled with other Windows features.

  7. Pete 8

    Oops!

    hacked self wide open 'researching', coders come sniffing using the goog as mega C&C, game over.

    Surfing in places you wouldnt take your Mother? Hmmm.

    Tea & biscuits anyone?

  8. Anonymous Coward
    Thumb Down

    Ahhh Hmmmmmm Ummmmmmmm

    Ummmmmm well another Microsoft battle - with the management leading from the rear and the consumers as cannon fodder.

    Hmmmmmmmmmmmmmmmm

  9. zen1
    Grenade

    If its that important

    Why not place it in a url that isn't accessible to google crawlers? I mean just because you have a webserver out there does that give google free license to crawl it? Conversely, Microsoft could take matters into their own hands and implement some form of security that would deny access to such url's from google IP addresses.

    1. Hans 1
      Boffin

      Blocking google crawlers

      All you need is a robot.txt file to block google crawlers from accessing specific parts of your website ... third-party crawlers might ignore though ...

      http://webdesign.about.com/od/promotion/ht/htrobotstxt.htm

  10. Anonymous Coward
    Pint

    Note to Chinese hackers

    Next time use a US-based IP address and everything will be OK.

  11. Anonymous Coward
    Paris Hilton

    Double take...

    >On December 30, detailed search queries [At Google?] showed that the sensitive information, in addition to files for an unpublished security tool, had been retrieved by the unknown party.<

    Am I reading this right? Google employees casually check the Google search logs to see who (IP address, unique cookies etc) used specific search phrases?

    The Lord and Scroogle help us :-(

    Paris - because Michal Zalewski knows I searched for her on Christmas Eve.

    1. Version 1.0 Silver badge
      Happy

      weblog

      Nope - the users own web server logs would have provided all of that information.

  12. Anonymous Coward
    Flame

    Microsoft

    So, another critical security bug in MS software.

    Yet another reason for offices around the world to ditch their shitty software and move to another OS. (ANY other OS!)

    1. Anonymous Coward
      Flame

      Any other OS?

      Why do you think joyriders steal certain types of car? Because they are common, cheap, and purely protected. Lowest common denominator.

      Once any OS achieves a reasonable market penetration it will very quickly come under the same level of attack as Windows. But given Windows has ~87% of the market, who'd go chasing anything but Windows.

      I'm not defending MS - their stuff is leaky as hell and needs fixed or replaced. But don't be under the illusion that other OSs are bug and vulnerability free. If the same effort was focused on finding faults, far more would be discovered.

      Ironic that Open Source Linux is essentially Security by Obscurity since it has such a limited user base :)

  13. PhilipN Silver badge
    Troll

    Chinese?

    Who? I am in Hong Kong as sundry web services insist on reminding me with unwanted content.

    What does that make me? Chinese?

    I'm from Liverpool and as they say there as a farewell parting to an unwanted acquaintance : "Have an accident".

  14. mhenriday
    FAIL

    «Accidentally leaked to Chinese hackers» ?

    This is how Michal Zalewski himself sums up the matter : «[t]he pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely». I am aware that the US military and that country's foreign ministry, not to speak of legislators seeking votes and certain economists seeking brownie points, tend to portray the Chinese as their favourite bêtes noires, but do Reg columnist have to join the chorus ?...

    Henri

    1. Anonymous Coward
      Stop

      @mhenriday: Don't Worry, China has Nukes

      Even if much of these allegations are fabricated, it won't matter too much because since Mao the Chinese have a functioning military the U.S. won't want to mess with. (see Korea)

      From what I know out of non-government sources, Chinese IT equipment is indeed often laden with some sort of malware features. Think of IP-connected cameras streaming images home to their manufacturer and the like. Simple logging at the gateway will give them away, so their methods are still quite rough...

  15. Doug Glass
    Go

    "accidentally leaked"

    Is a frelling oxymoron moron.

This topic is closed for new posts.

Other stories you might like