Linked by Thom Holwerda on Mon 18th Jan 2010 22:00 UTC
Internet Explorer Ah, the security vulnerability that was used in the Google attack. It's been around the internet about a million times now, and even governments have started advising people to move away from Internet Explorer. As is usually the case, however, the internet has really blown the vulnerability out of proportion. I'll get right to it: if your machine and/or network has been compromised via this vulnerability, then you most likely had it coming. No sympathy for you.
Thread beginning with comment 404781
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Technet is not to be trusted
by kragil on Mon 18th Jan 2010 23:18 UTC in reply to "RE: Technet is not to be trusted"
kragil
Member since:
2006-01-04

So you are the security expert now? I found this article to be really weak and fanboish. That is why I started to a quick Google search.

And well, I hate to break it to you but IE7 has been cracked:

http://twitter.com/george_kurtzCTO

And it is looking bad for IE8:

http://twitter.com/dinodaizovi

And that is just one day after the release of the first exploit, once security is breached you get new attack vectors and new exploits are possible. It is not like DEP etc. always migitates everything 100%. It just helps.

Reply Parent Score: 3

nt_jerkface Member since:
2009-08-26

So you are the security expert now? I found this article to be really weak and fanboish.

I found it to be a refreshing assessment instead of one of many sensationalist articles that focused on the government warnings and not who exactly is at risk.


And well, I hate to break it to you but IE7 has been cracked:

Because some people on twitter say so? That isn't proof.

Reply Parent Score: 2

Bryan Member since:
2005-07-11

Well, those people are the CTO of McAfee and the white hat security researcher who's actually trying to expand upon the exploit, so they shouldn't be dismissed outright. Granted, the CTO points to a YouTube video on how McAfee software can block this exploit, so you could argue he's got an agenda. But that doesn't change the fact that the researcher has been able to get as far as read-only access to the system through IE7 on Vista. Hopefully, protected mode won't be easy to break out of, but still Microsoft needs to patch this ASAP. Mechanisms like DEP and protected mode are meant to be extra layers to mitigate the impact of exploits, but not long term substitute solutions. (Although after this incident, I would like to see an additional patch to opt-in IE7 to DEP by default; it probably couldn't be done in IE6 due to the same compatibility issue that have kept them from upgrading to newer versions.)

Reply Parent Score: 1

kragil Member since:
2006-01-04

Those "some people on Twitter" are a real CTO of a very big computer security company and a real security researcher with lot of creds.(Just google him, he won numerous hacking contests and has a long list of research)

They are the real thing, they don't pretend to be security experts on the internet.

Reply Parent Score: 2

abraxas Member since:
2005-07-07

I found it to be a refreshing assessment instead of one of many sensationalist articles that focused on the government warnings and not who exactly is at risk.


You don't know much about security then. As I mentioned before ASLR, DEP, and protected mode are great ideas but if their implementation is poor (and it is in Windows) then they are useless in the grand scheme of things. Less experienced hackers may not be able to crack Windows protection schemes but they are still vulnerable.

Reply Parent Score: 2

Karitku Member since:
2006-01-12

Again those guys did it on XP without DEP. IE8 enables DEP by default so it will be much harder. Btw main reason why IE7 didn't have DEP enabled by default? Third party ActiveX component, try guess which ;) .

Reply Parent Score: 2

cb_osn Member since:
2006-02-26

Again those guys did it on XP without DEP. IE8 enables DEP by default so it will be much harder. Btw main reason why IE7 didn't have DEP enabled by default? Third party ActiveX component, try guess which ;) .

The Java plugin. With DEP enabled, the JIT engine would dump generated machine code into memory pages marked with the NX bit and then attempt to execute it causing the JVM to crash.

Reply Parent Score: 2