IE's role in Google's recent issues in China

[CharlieChomper]

I'm sure most people may have already heard about Google's recent problems in China over allegations involving attempts to break into their network (with all evidence appearing to be pointing toward the Chinese government) and other nefarious acts and the current thinking that the company may pull out of that country as a result of it (along with clashing ideological views involving matters of censorship and politics, which I won't get into here for obvious reasons...).

However, it recently came out that part of how those who gained access to the compromised accounts were able to do so was through an exploit that exists within Microsoft's IE browser (it should be noted, however, that it was only one vector of entry that was used in the attack). The same exploit has been confirmed to exist in all versions of IE, including the most recent and going back to IE4, and regardless of what version of Windows is in use (including Win7).

Likewise, Google was not the only company that was attacked. This has not been as publicized as the Google situation, however, it has been confirmed that Adobe and, at least, 32 other companies (which have so far admitted or have been confirmed--there is a fluctuating number of around 34 companies which may have likewise been affected, however, there is currently still some investigation taking place with them) have also suffered the same types of attacks with the main point of entry all being IE and with the attacks originating from within the Chinese government.

Microsoft currently does have a deterrent in place with IE8 (which users would have to manually turn on). However, it is still very possible to get around it. So until Microsoft finally releases a fix for it, it's going to remain a problem.

[Jessica]

Wow, I had no idea about this. Very interesting, CC. Thanks for posting it!

My teachers at University always recommend that we use Firefox, Chrome, etc, instead of IE, not because either of them is better or worse but because IE, being the most popular, is the most attacked and vulnerable since hackers all over know about its security exploits and the such. Guess that also applies in this situation.

[Kiri]

That's very true Jess. The less used it is, the less exploits it wil have exploited.

Thanks for this CC - I read on the BBC site that Germany is now telling it's folks to not use IE because of this, much to Microsoft's chagrin.

Kiri

[CharlieChomper]

It's only partly correct with respect to IE and the "known" exploits as far as why it often gets targeted more (same with its popularity).

In the latter situation (and ignoring the fact for a moment that IE's marketshare has actually been in considerable decline over the past several years to where it's no longer the most popular browser), the issue has been more with the view that it's supposedly "easier" to make an attempt upon IE.

Usually, most of the time that an exploit/vulnerability is located with any piece of software (regardless of who made it or what software--this also applies to open source projects just as much as it does proprietary/closed source software), if that problem is found either by one of the security groups, a researcher, or just someone who is honest or a student, there tends to be an understanding or strict protocol that's usually adhered to with a problem of where it's reported to whomever made the software, with instructions upon how to locate it to confirm it and usually with the understanding that the "maintainer" (or in a situation where it was a proprietary piece of software, the company which made it) would then go about repeating the exercise in locating it and then finding a way of fixing it and release a patch or sometimes just an upgrade (depending upon the nature of the problem and who it's by and how they choose to do things) to resolve the problem.

This all takes place without that information being leaked or made publicly available in any way before a fix of some type has been issued in hopes of avoiding any incidents or someone taking advantage of the situation--which is part of this protocol and understanding that's adhered to.

In the very rare instances of where someone (usually someone unaware of this or else just not thinking of the possible ramifications of their actions) has found a problem and then published it without notifying those who made the software, they're usually very quickly made aware of why the understanding and protocols exist.

It's also been the case in the past of where sometimes (usually companies--and not just Microsoft...) have tried to take what I'll call the "ostrich" approach to these situations (ie bury their heads in the sand and try and pretend the problem(s) doesn't/don't exist and just hope nothing comes of it or just deny the problem exists and think that because no one, outside of those who contacted them about it, seems to be aware of the problem it therefore shouldn't pose an issue)--or won't do anything about it until it actually does prove to be a problem and they end up having to sometimes deal with the aftermath or fallout from it or people complain enough to them about it.

It's partly in a case of the second situation as to when some of those who locate a problem (notably the security groups), if a problem is severe enough and/or has been known about for a long enough time to where there is very real concern over it being exploited, that they may try and force the hand (as it were) of the software maker and go public with the problem (but leave critical details out of it when doing so), partly in hopes that there may be either enough complaints lodged against them or the view that there may be enough of a threat to finally do something about it. However, I should also note that it's incredibly rare for that to actually happen--largely because of the threat involved in doing so (although, there are some, who identify themselves as "black hats" despite not truly being actual "black hats" (the actual "black hats" are those with more criminal or unethical/malicious intentions), who will publicize an issue in hopes of it getting resolved--however, it isn't an approach that's widely looked highly upon and it's never done so with a malicious intent).

In some cases, such as the exploit that was used in this situation with IE, it was previously unknown to anyone outside those who used it as an entry point. That's the scenario that has led to some concerns and why many of the security groups not only exist, but are as active as they are in trying to locate problems.

In other words, generally speaking it's not so much a question of outstanding exploits equating situations like this, as that information is normally not made public until after some type of fix or way of resolving it has been released. The issues with IE, tends to more of a combination or mixture of corporate politics and ways of doing things (to say nothing of their corporate culture, to some extent).

That said, it's historically been the case with IE of where for years, there has been a call not to use it in favor of other browsers (in fact, it's been almost a classic "battle" of sorts between IT/IS and security people versus users/members of management).