Print 58 comment(s) - last by DukeN.. on May 6 at 12:57 AM

No fix will come for most Windows XP users

Microsoft Corp. (MSFT) issued a security advisory and threat database entry this week after a flaw was discovered that affected virtually every active version of Internet Explorer (IE), from IE6 to the latest and greatest IE 11.
I. Who Isn't at Risk
The zero-day flaw was discovered by Fire Eye, which is known for its Mandiant division that assists corporate and government users with repelling attacks.  Many readers will recall that Mandiant assisted the U.S. government in identifying and tracking a sophisticated hacking squad within China's army -- Shanghai-based People's Liberation Army Unit 61398.
The flaw won't work on many corporate distributions as since Windows Server 2003, a mode called "Enhanced Security Configuration"  (ESC) has been included which sandboxes and restricts the privileges of the browser.  ESC is the default in all modern versions of Windows Server (since WS 2003), so unless you explicitly turn off ESC you should be safe.
Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open messages in IE, but even in consumer versions of Windows they do so in a restricted mode, which disables script and ActiveX controls by default.   

Outlook and Windows Mails' restrictions prevent IE from being exploited via malicious links to sites with the freshly found IE flaw. [Image Source:]

Those restrictions should eliminate the attack.  However, those using a third-party client such as Mozilla's Thunderbird with IE set as the default browser are still at risk.
II. How it Works
The flaw involves so-called heap feng shui.  The exploit is pretty sophisticated, involving loading allocating and corrupting objects for the third party Adobe Systems Inc. (ADBE) Flash plug-in via a Javascript (not to be confused with Oracle Corp.'s (ORCL) Java).  The script loads the SWF Flash object and makes a call to it after some setup, the Flash object calls back to Javascript, and finally the Javascript corrupts the Flash object.

Flash logo
The exploit takes advantage of a flaw in IE's handling of Flash objects. [Image Source: Adobe]

In the end you get a vector that can be used to point to arbitrary memory, effectively stripping away Windows' ASLR (address space layout randomization) and DEP (Data Execution Prevention) memory protection algorithms.  These algorithms are designed to prevent programs from looking at other programs’ memory for either snooping or memory injection purposes.
Again, here we come into a limitation of the bug -- it only allows unprotected memory access within the logged in user's account.  So unless a logged in administrator foolishly visits an attack page, the initial damage is limited.  However, a savvy attacker could bide their time and test other potential exploits after gaining user access, eventually working their way to root.
In that regard, the attack can be viewed as IE -- and by proxy, the Flash Plug-in -- granting the attacker a foothold in the system.

IE 9 beta
Every modern version of IE for client computers is at risk from the serious flaw.

Microsoft says this foothold can be used for a number of ill-purposes including:
  • view data
  • changing data (memory injection)
  • deleting data
  • keylogging
  • installing malicious programs
  • creating accounts to give attacker full user rights
III. Who is at Risk
Despite the aforementioned limitations (no root, limited opportunities for attacking Windows Server), the attack is still quite dangerous for a few reasons.
First it's relatively rare to find a flaw that affects all versions of IE (but certainly not unprecedented).  Such flaws -- even if weaker in practice -- are a major threat by merit of IE's market share alone, which is typically spread over several recent versions.  Fire Eye estimates that over a quarter of Windows users browse using recent versions of IE and are vulnerable.
Second, the attack code does not need any sort of unusual offline tactics, so it's possible to host a webpage that performs the entire attack.  This opens a wealth of possibilities for click-baiting in emails, luring users to innocent sound URLs that are really attack pages.
Attackers could use click-baiting to draw users to malicious webpages that exploit the flaw. [Image Source: iStock Photo]

As mentioned, many enterprise users may not be at risk on the server side, but on consumer and enterprise client side, it's a far different story.  For those who use IE as their daily browser, you run a risk that any website you visit could exploit the flaw in the browser's security.
IV. Active Exploits Target U.S. Banks, Defense -- NSA? China?
Aside from the higher than normal threat level for the bug, another thing that makes this an attention-catching discovery is the fact that Fire Eye appears to have discovered the bug while probing an attack in the wild.  It has uncovered a series of attacks that it dubs "Operation Clandestine Fox".
Fire Eye's Vitor De Souza describes the observed attacks in an interview with Reuters, stating:

It's a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors.  It's unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.

China cyberattacks
Someone has been exploiting the IE flaw in the wild for the last year to target the U.S. banking and defense industry -- one prime suspect is China. [Image Source: DMM News]

At this point it is unclear who performed these attacks.  China has long been accused of carrying out attacks on the U.S. financial and defense sectors.  But the issue became muddled by recent disclosures of spying by the U.S. National Security Agency (NSA).
The details of the NSA's spying campaigns make it clear that determining the attacker is now a much harder matter, as the NSA often reportedly targets American businesses and citizens alike with attacks, which it claims protect national security.  Some of these attacks are routed through servers housed in regions known for cyber-aggression such as China, raising the risk of false identification (likely the intention).  
Likewise, the NSA regularly uses networks of infected computers (botnets). The NSA has been accused of exploiting for nearly two years the recently discovered flaw in the OpenSSL encryption protocol's heartbeat feature, a flaw popularized in the media under the name "Heartbleed".  While the NSA denied those claims, its internal slides do indicate that it targets the financial sector and that it stockpiles zero day vulnerabilities designed to escalate privileges and/or bypass encryption.

United States of Surveillance
The NSA is another possible proprietor of the attack. [Image Source: Occupy]

Thus at this point the attacker in this campaign to exploit IE's Flash and scripting flaw appears to be highly sophisticated, pointing to a handful of the usual suspects -- the NSA, China, and Eastern European cybercriminals.  Whoever's behind these attacks, though, Fire Eye says it believes they have been going on for about a year now.

V. Patching Outlook and How to Protect Yourself

Microsoft is working to patch the flaw in newer versions of Internet Explorer and Windows.  But many users of Windows XP -- the most used operating system of last decade -- are in the dark after support to most SKUs of Windows XP ended earlier this month.  Point-of-sale versions of Windows XP are being maintained, and Microsoft has pledged to offer proprietary fixes to a handful of large enterprise users willing to pay it a ransom for the ongoing support.  However, for the majority of XP users -- including enterprise clients -- no fix is in sight.

The Windows OS maker's suggestion to customers at risk is to upgrade to a newer version of Windows such as Windows 7 or Windows 8.

Windows XP
Microsoft says the flaw -- which will not be patched on most Windows XP installations -- is one more reason to "turn off" Windows XP and upgrade.

For those who refuse to give up XP, there are some easy steps that can be used to protect the attack:
  • Don't visit untrusted webpages, don't click on links in email, instead navigate to webpages yourself (this should protect in almost all cases, but requires constant discipline and vigilence)
  • Disable the flash plug-in
  • If you do click URL links ine email, only do it in Outlook (which is protected), not in third party clients
  • Stop using IE altogether -- adopt a third party browser (e.g. Firefox) that isn't at risk
Any or all of those strategies should protect users on recent platforms who are waiting for a fix, and users on the dying Windows XP platform, which may never receive a fix.

Sources: Microsoft [TechNet Security Advisory], Fire Eye [Blog], Reuters

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Happy Alt browsers
By tayb on 4/29/2014 1:22:38 PM , Rating: -1
The "liberal agenda" bullshit remark is the same remarks people used to make about integrating schools or allowing women and minorities to vote. How many times do you idiots have to be on the wrong side of history before you figure it out? Clearly at least once more.

There is no "liberal agenda" there is a simply a morally right agenda and a morally wrong agenda. Refusing state and federal benefits to same sex couples is morally repugnant. Take your idiotic religious views elsewhere. In the United States of America all men and women are created equal and are afforded equal protection under the law. That is the United States Constitution. I'm not sorry if you disagree with it.

If you don't like gay marriage don't marry a gay man. Problem solved. Otherwise just shut the fuck up about it and stop violating the constitution.

RE: Happy Alt browsers
By MrBlastman on 4/29/2014 1:58:50 PM , Rating: 2
There is no "liberal agenda" there is a simply a morally right agenda and a morally wrong agenda.

Like hell there is not! Who are YOU to determine what is morally right and morally wrong for ME?

Newsflash: Morals are set by cultures and groups, not entire societies! In fact, these belief systems tend to vary. My system of values is not yours nor is it something for you to push on me.

You are not the thought police. You do not choose what I must like or not like. I can have my opinion, like it or not.

If you don't like gay marriage don't marry a gay man. Problem solved. Otherwise just shut the fuck up about it and stop violating the constitution.

I won't until people I disagree stop assaulting my own view. Someone has to speak up. If they didn't want to receive flak--and weren't prepared for it, they should have stayed quiet, accepted the nice compromise of Civil Unions that would apply to gay and straights alike, leaving the Churches the ability to bestow marriage?

Funny thing about that though--everyone wants it all. They want to take one hundred percent and not a sliver less. That't not compromise, that's not democracy, that's not the process our Nation was founded upon! That is lunacy! My little middle-of-the-road suggestion... The Gays hate it and the Straights hate it.

But when you think about it, aren't the best compromises built upon a foundation made from dislike by one another? If both parties hate it then that means there is just enough squeeze there to create true equality and a fair and equitable solution for everyone.

We won't see it happen. That's because everyone is nuts, and much like Veruca Salt, they want it all, they want it now and if they don't watch out, might all be tossed down the trash chute in the end.

Take your idiotic religious views elsewhere.

Baseless attack. Assumption. Minus three points for oxygen starvation. Once again, trying to win an article with zero evidence based on fact.

"Oh no! He said something offensive! Well he must be one of those nutballs!"

I never once said I was Religious. If I am or am not is irrelevant. My compromise above forces Religious and Non-Religious alike to accept a middle, equal ground fraught with sacrifice.

At the same time, I can say with much certainty it IS a Liberal Agenda given how forthcoming LGBT pundits and proponents have been on their political positions.

Say, when you play poker, you like looking at the back of the cards? I swear you do. I can see your entire hand before you look at it!

RE: Happy Alt browsers
By KCjoker on 4/29/2014 6:24:02 PM , Rating: 2
Well said.

RE: Happy Alt browsers
By Tegeril on 4/29/2014 7:30:21 PM , Rating: 2
they should have stayed quiet, accepted the nice compromise of Civil Unions that would apply to gay and straights alike, leaving the Churches the ability to bestow marriage?

False premise. Churches were never the entity bestowing marriage. They had officials that could perform marriages that were then filed with state governments. Lawyers, ship captains, in some states *everyone* can perform legal marriages. Those people weren't performing legal "civil unions."

RE: Happy Alt browsers
By Fujikoma on 4/29/2014 7:35:00 PM , Rating: 1
Your reply is in error.
Marriage in the U.S. is a civil act and does not resemble traditional jewish/christian/islamic marriage (religious versions treat women as property... something that society has changed over time). Marriage, as an institution, existed long before these religions came into being, further removing these religions from laying claim to that institution. Having 'civil unions' (in addition to 'marriage') is a direct violation of the 14th amendment (equal protection clause). Changing all laws on the local/state/federal level to say 'civil union' instead of 'marraige' doesn't make any sense, since 'marriage' is already the correct term used by the legal system AND the cost of such a change is as ridiculous as your suggestion that this would be an acceptable alternative. Alllowing gay marriage just adds gays to that list of acceptable legal descriptors. No different than Loving versus VA affected marriage between blacks and whites.
You also don't understand what type of government the U.S. has. It is a democratic republic, which means that minorities are afforded the same rights as the majority. There is no vested government interest in discrimination against gays (the minority group) because another group (no longer a majority) can't handle two same sex individuals that want to marry. Just because the majority has unjustly denied rights to minorities in the past, is no reason to continue in the present. The Constitution applies its protections to all U.S. citizens, not those who feel that they are morally superior to others.
You also don't understand biology, as homosexuality is a normal component among multiple animal species. It is not wrong, even if it doesn't comprise the majority of sexual orientation identifiers. Homosexuality isn't a moral position. The percentage of homosexuals, in our population, has been an acceptable evolutionary component... the proof being our current existence.
Also, it is not a liberal agenda for gays to marry. It's a human rights thing. It's an equality thing.

RE: Happy Alt browsers
By Nutzo on 4/29/2014 2:00:20 PM , Rating: 2
And calling a same sex relationship "marriage" is also morally repugnant to many people.

And yes, there IS a "liberal agenda", which is largely an attack against religious people and their beliefs. Based on your comment about "idiotic religious views" you also seem to have the same blind hated for religion.

Why do they have to change the definition of marriage, an institution that goes back thousands of years?
Simply granting the same benefits, and calling it something other than marriage would have ran into much less resistance.

But that wouldn’t have furthered the “liberal agenda” of destroying the very institutions that built this country.

RE: Happy Alt browsers
By FITCamaro on 4/29/2014 2:33:41 PM , Rating: 2
The "morally right" thing to do would have been to allow a free person to follow his beliefs and not crucify him because they don't coincide with your beliefs.

How about we get rid of all state and federal benefits for married people? Because the government shouldn't have any say in it. Why do we need the government to allow us to be on an insurance policy together? If a company wants to sell me a joint policy, they should be able to. If I want to specify someone as being my emergency contact, I should be able to without a marriage license. You can draw up a will with anyone being your beneficiary regardless of relation or marital status.

You're kidding yourself if you think liberals don't have an agenda. I have an agenda. Everyone does. The true liberal agenda is to destroy marriage completely. And they're doing a fabulous job. I just got married two weeks ago. Me and my wife would be far better off financially if we didn't get married. Once we have kids she'd get an EIC credit. We'd be able to get "free" benefits for our kids, food stamps, etc. The tax benefits we get from being married are pretty much nil compared to the government benefits we'd get from remaining single. Mainly once we had kids.

All men and women are created equal. But the government limits certain benefits to different groups all the time. In the end it's all wrong either way (at least at the federal level) because they have no authority to do any of it. Taxes are supposed to be levied equally on everyone. They're not. Half the nation pays nothing while a large percentage of that half gets benefits paid for by taxes they never paid themselves.

RE: Happy Alt browsers
By MrBlastman on 4/29/2014 2:44:24 PM , Rating: 2
Congrats on the marriage!

RE: Happy Alt browsers
By lexluthermiester on 4/29/2014 7:05:03 PM , Rating: 2
How many times do you idiots have to be on the wrong side of history before you figure it out? Clearly at least once more.

Ya, clearly, choosing a moral ideal is the same thing as denying statutory rights based on race or nationality or gender.

In the United States of America all men and women are created equal and are afforded equal protection under the law. That is the United States Constitution.

FYI genius, marriage is NOT a constitutionally protected right, it is a privilege, and is denied very often. Children are not allowed to marry, relatives are not allowed to marry, a person is not allowed to marry a dead person, a person is not allowed to marry and animal, a person whom has be declared mentally incompetent may not marry at all and so on.

YOU are the one that needs to S.T.F.U. People like you are the very reason today's society has many of it's problems and the very reason why a very capable and effective business person was removed for his very well earned CEO position at Mozilla. Lynch-mob tactics. You and those like you are the reason why this world is being wrongly influenced and controlled by fear-mongering and spoiled-brat mentalities. Grow up, stop whining and screaming like a child and get a clue.

RE: Happy Alt browsers
By Fujikoma on 4/29/2014 7:46:17 PM , Rating: 2
There's no Constitutional right to not being murdered either... but there is the 14th Amendment which protects a group from being denied rights for no real reason.
Your examples are amusing, as religion allows adults to marry children (or a rapist to marry their victim), relatives to marry each other, the living to marry the dead, humans to marry animals and those who are mentally incompetent to be married.
Society created laws to restrict those, that can't protect themselves, from being taken advantage of. Two gay people wanting to marry each other doesn't fall into your false premise.

RE: Happy Alt browsers
By lexluthermiester on 4/29/2014 8:02:43 PM , Rating: 2
Those thoughts are your opinions. They are not backed by legal statute, nor PROPER interpretation of Constitutional decree.

Homosexuality is a functional abnormality, or dysfunction, of the human equation. This is irrefutable science fact.

Furthermore your argument contradicts itself. Marriage is a privilege, not a right. So the 14th amendment does NOT apply here as we discussing a privilege not a statutory right.

Your opinion has no basis in fact, legal or scientific.

RE: Happy Alt browsers
By Flunk on 5/2/2014 4:47:42 PM , Rating: 2
If you're not gay how does this affect you? Why would you ever care?

RE: Happy Alt browsers
By Argon18 on 4/29/14, Rating: 0
"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer

Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki