Umm
'accidentally leaked' ? ITYM 'also discovered by'.
Details concerning a potentially serious security vulnerability in fully patched versions of Microsoft's Internet Explorer have been leaked to people in China, a researcher warned over the weekend. Michal Zalewski, a security researcher at Google, blogged that data concerning at least one “clearly exploitable crash” in the …
This post has been deleted by its author
If you read the original blog post you'll see that Zalewski isn't saying that they accidentally leaked the data to the Chinese but that a Chinese IP address accessed Zalewski's website having used some Google search terms that suggest very heavily that they (the Chinese IP address) already knew about the vulnerability and were looking to see if anyone else knew about it.
The Chinese (allegedly) appear to have leaked the fact that they already knew about this 0day, which is interesting.
Why not place it in a url that isn't accessible to google crawlers? I mean just because you have a webserver out there does that give google free license to crawl it? Conversely, Microsoft could take matters into their own hands and implement some form of security that would deny access to such url's from google IP addresses.
>On December 30, detailed search queries [At Google?] showed that the sensitive information, in addition to files for an unpublished security tool, had been retrieved by the unknown party.<
Am I reading this right? Google employees casually check the Google search logs to see who (IP address, unique cookies etc) used specific search phrases?
The Lord and Scroogle help us :-(
Paris - because Michal Zalewski knows I searched for her on Christmas Eve.
Why do you think joyriders steal certain types of car? Because they are common, cheap, and purely protected. Lowest common denominator.
Once any OS achieves a reasonable market penetration it will very quickly come under the same level of attack as Windows. But given Windows has ~87% of the market, who'd go chasing anything but Windows.
I'm not defending MS - their stuff is leaky as hell and needs fixed or replaced. But don't be under the illusion that other OSs are bug and vulnerability free. If the same effort was focused on finding faults, far more would be discovered.
Ironic that Open Source Linux is essentially Security by Obscurity since it has such a limited user base :)
This is how Michal Zalewski himself sums up the matter : «[t]he pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely». I am aware that the US military and that country's foreign ministry, not to speak of legislators seeking votes and certain economists seeking brownie points, tend to portray the Chinese as their favourite bêtes noires, but do Reg columnist have to join the chorus ?...
Henri
Even if much of these allegations are fabricated, it won't matter too much because since Mao the Chinese have a functioning military the U.S. won't want to mess with. (see Korea)
From what I know out of non-government sources, Chinese IT equipment is indeed often laden with some sort of malware features. Think of IP-connected cameras streaming images home to their manufacturer and the like. Simple logging at the gateway will give them away, so their methods are still quite rough...