Rodney

Sunday 17th January 2010 | 11:01 AM

While I agree with you in principle, Mike, this case isn't really about MS being at fault. You know who's actually to blame, here? The Chinese government for authorising, funding and directing the hacks.

Excuse my long posting. :-p

We can say MS IE6 is insecure (and it is) but there are almost certainly other reasons why it's still in use - such as the ActiveX components embedded in it, etc, may be required by some old internal application which the company hasn't yet provided a budget to upgrade. This is a very common story in large companies (IE6 is still in use because it's too expensive to update).

You & I can easily switch to FF or Chrome or update our IE. Other companies, one whom I've worked with as a consultant (who happens to be one of the largest companies on Earth), see migrating of IE6 as a massive cost that would require the rewrite of most of their core applications. As it has nothing to do with core business, it therefore provides no immediate financial benefit. Their staff are not supposed to open attachments from people they don't know and they're supposed to be trained in basic "safe IT use", etc. Plus they're meant to be protected by other measures. They're not supposed to browse non-work sites, etc. So management sees migration off IE6 as a damn low priority. If everything else was working, they shouldn't need to update (from a security vs expenditure POV).

This story isn't really about the failings of IE6. Or even Adobe Reader (which was also exploited in the same attack, to gain access). It's about a fundamental breakdown of basic IT policies which allowed key staff to open attachments from strangers and then failed to notice anything going wrong after that.

It shows a clear case of "egg shell" security, in which once the hard outer shell is penetrated, there's nothing left to protect the soft, gooey, goodness inside. Someone can always be relied upon to do something dumb and install a trojan on their PC. The real security failings here are:
a) Why a known virus (it was only a '0 day exploit for 1 day, after all') was allowed to reside on so many machines for so long - do they not do scheduled scans or ever update definitions?
b) why persistent and large volumes of network traffic were allowed to flow from people's desktop PCs to external IPs, presumably through a monitored proxy, without someone noticing.
c) Why active security measures on desktop PCs did not notice self-originating OUTBOUND traffic to non-registered IP address. Any security system should notice that the PC is dialling home, hell even the free XPSP2 firewall will tell you (paraphrasing) "an application is trying to access the network for the first time, do you want to allow it to".
d) Why individuals had access to so much information and power across so many internal groups. If they are IT admins, they should have known better on points a through c.

I could go on and on but by now, have already broken the rule that comments should be short and to the point. :-P

Marvin the Martian

Monday 18th January 2010 | 05:29 AM

...in response to this comment by Rodney. While I whole heartdly agree with you regarding the Chinese goverment's involvement, I can't help but wonder if there is something more sinister here. While I love a good conspiracy, when I read the story, I immediately thought that MS might have left holes out there specifically to affect their competition.

Maybe, maybe not.

As for the continued support of IE6... as a web designer, I am utterly repulsed by the fact that MS has not forced people to updade to IE7 at least! Forcing all of us to support a useless broswer.

MS needs to get with the program. IE9 better be standards compliant and MS better start forcing browser upgrades. It is in their own best interest, not to mention the interest of the rest of us.

Mikey

Monday 18th January 2010 | 07:59 AM

The exploit code has apparently been released: http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=222301235

Rodney

Monday 18th January 2010 | 08:01 AM

...in response to this comment by Marvin the Martian. Hi Marvin,

If you read my comment above, you'll see the chief reason *why* people haven't upgraded - and it's not MS's fault. MS *want* people to update. They advertise and push people off IE6 as hard as they can, while still being reasonable. They know it's in their best interest and therefore try to encourage people to upgrade - but still support their existing customer based.

Corporations, however, who need to worry about costs of things rather than just doing them, resist. MS therefore support all as well as they can. They're actually being very reasonable about all this.

In any case, they key entry vector in this attack was social engineering in email attachments, followed by exploiting Adobe Reader, not IE6. IE6 was really point number 3 in the sequence.

Mikey

Monday 18th January 2010 | 08:04 AM

...in response to this comment by Marvin the Martian. "As for the continued support of IE6... as a web designer, I am utterly repulsed by the fact that MS has not forced people to updade to IE7 at least! Forcing all of us to support a useless broswer."

Ditto. MS's only excuse for not killing it is they are bound by the legal agreement between them and WinXP users, which requires them to officially keep IE6 alive until the end of the XP lifecycle (http://support.microsoft.com/gp/lifesupsps/), even if it is at the cost of security.

Rodney is right though in that a lot of this is actually due to fundamental breakdowns of IT policies, but IE6 does open the door a lot wider.

Marvin the Martian

Monday 18th January 2010 | 10:19 AM

...in response to this comment by Rodney. I think Mikey made my point for me on the IE6 case. The fact is that MS should never have agreed to continue to support IE6. It is totally flawed and like other manufacturers, they should FORCE people to upgrade if need be.

This is not just an issue realting to this post, nor is it completly selfish. IE6 is a bane on the internet.

Social networking is quickly becoming another blight on the internet. Most people online have no idea what goes into a website, nor do they appreciate how vulnerable they really are. If they did, perhaps they would take more care to keep their software current.

Aside from the rant above, I strongly support Google's choice to stop filtering, regardless of the reasons for it. The internet is the voice of the world. It gives us each the ability to share our thoughts and ideas, collaborate on projects and ultimately make us all feel close together. While it isn't the be-all and end-all, it is the beginning.

Rodney

Monday 18th January 2010 | 11:54 AM

...in response to this comment by Marvin the Martian. I understand your POV and in principle agree with you but how do you force people to upgrade? The quote for the company I consulted to, to upgrade of IE6 ran in excess of $64 million - and that's the project / quote. Imagine the actual cost, after blow out. How can MS say "you will now have a $64 million dollar bill (from another company) because we're are going to force you to pay it"? And how could they force it, anyway? Not every company is a 3 people in 1 room and software updates can and do break things that companies consider far, far more important that security on Facebook and other sites employees can't get to, anyway.

It's not company x's fault, because they developed systems to meet purpose, some years ago, with the tools they had. And it's not MS's fault, because IE6 is still supported and was believed to be secure when released. When faults are found, they're fixed. Eventually, they will phase off it, one application at a time but at those costs, they need years to prepare, justify and budget and to spread the cost out.

I hate IE6 just as much as the next man. I have IE8 on this PC but never use it (on purpose). But I do acknowledge that there's a reason other people use it and will continue to do so and we need to be practical and pragmatic about it. Unfortunately, there are many bad IT products out there that we must continue to support and work with. This is why we need mitigating factors to manage them.

Marvin the Martian

Monday 18th January 2010 | 12:25 PM

...in response to this comment by Rodney. August 25th, 2001. That was the launch date of IE6. Not only that but there are now 2 newer versions available. I just don't see the justification for it. Of course companies are going to have to spend money to make theri software work with newer versions of 3rd party software... that is just a fact of business. To put your company's security at rish with a browser with sever security and compatability issues is just plain stupid.

The cost of upgrading can be written off by the company over time as well. I just don't accept the excuse. Sorry.

aries

Monday 18th January 2010 | 12:42 PM

Maybe the company at fault, Microsoft, also one of the richest companies in the world, should be providing the necessary upgrades for free? I mean isn't that how it works in the real world? If Bunnings sell me a crappy lawnmower they replace it or refund it, same with car manufacturers or anyone else for that matter. So why dies Microsoft get off scott free when by it's own admission (and not for the first time) it's product is faulty?

Just my uneducated opinion, sorry but I don't do geekspeak so well!!! ;)

Love ya Mikey... xxx

Marvin the Martian

Monday 18th January 2010 | 01:24 PM

...in response to this comment by aries. I think Rodney is talking about the 3rd party costs, like an intranet or specialized software that only works with IE6. In that case, the company, not MS would carry the burden of the updrade costs for those 3rd party software upgrades.

aries

Monday 18th January 2010 | 01:54 PM

see, I told you I don't do geekspeak!!!

Rodney

Monday 18th January 2010 | 02:18 PM

...in response to this comment by Marvin the Martian. The date of release is irrelevant. How old is your car? If it's not the very newest, safest car on the market, then you're being "just plain stupid" by risking your family and others by not immediately upgrading to the latest, safest car. The cost is irrelevant. Just go and do it right now and write it off over time. Then do it again next month.

But in the real World, the cost is not irrelevant. Let me tell you about the company I am speaking about. They have well over 200,000 PCs in their fleet. Well over. They don't do IT though; their line of business is raping the environment and that's pretty much all they care about. As long as the hole is being dug and the dirt is being shipped, they couldn't care less about anything else.

However, their staff cannot access the internet directly. They can only access their internal Intranet, with some exceptions. Some privileged staff have a little higher levels of internet access but that's about it. Even this traffic is through a proxy, which scans all traffic. Users cannot download files, either - all downloads are saved to a central point, checked and only then approved to the user - even if you initiate this download yourself through the browser (the proxy enforces this). They get limited emails and these come in and out of a centralised server, all emails world wide travelling through the US, where they're scanned and checked, etc. User's cannot bring in disks, USB keys, etc from home - those devices are removed is disabled. Users cannot save files to their own c drives and cannot install programs or modify their IT setup at all. Where does IE6 expose them unduly, in this model?

IE6 works in this environment. Why should they upgrade? Put it in terms that would make sense to management. If all the above is adhered to appropriately, where is the risk? What are they going to connect to, in this environment, to risk their network, that IE6 would be a disaster to use?

How could you explain to management of this company that their toolset, which to all intents & purposes appears to be working perfectly, should be upgraded at the cost of some $64 million, for no reason other "IE6 is teh gayz". What am I getting for my 64mil? A 100% foolproof browser that I can allow everyone to do whatever they want wherever they want to? Hell no. The very best they could get is exactly what they've already got with a slightly newer logo. Hardly a compelling case for the spend, is it?

Marvin the Martian

Monday 18th January 2010 | 02:59 PM

...in response to this comment by Rodney. In that VERY specific example, with a VERY narrow focus... In the case you are describing the bug in IE6 wouldn't matter and the company wouldn't care about MS support anyways. Your example just doesn't make real-world sense in terms of this paticular conversation. We are not talking about a company who isolates their workers to that degree... we are talking about companies that allow their staff to use the internet, allowing hundreds of staff to surf Hotmail, Facebook and Googling their own stupid names to see if anyone loves them.

We are talking about the 90% stupidity factor in this business where someone who gets an attachment in their email (even at work) that tells them that the there are naked photos of some celebrity attached, will open the @#$*& email!

We are talking about a company potentially exposing trade secrets, company employment files, legal documents, EFT details and much more, because they are too cheap to upgrade to a 'working' product. I don't buy it.

As for your car analogy, if there was a serious security or safety issue, there would be a recall. No car manufacturer would allow a flaw of this magnatude to laps, since they would be held liable. Software developers are not held to that standard. Your analogy is flawed as you are not comparing apples with apples.

aries

Monday 18th January 2010 | 03:05 PM

...in response to this comment by Rodney. "They can only access their internal Intranet, with some exceptions. Some privileged staff have a little higher levels of internet access but that's about it. Even this traffic is through a proxy, which scans all traffic. Users cannot download files, either - all downloads are saved to a central point, checked and only then approved to the user - even if you initiate this download yourself through the browser (the proxy enforces this). They get limited emails and these come in and out of a centralised server, all emails world wide travelling through the US, where they're scanned and checked, etc. User's cannot bring in disks, USB keys, etc from home - those devices are removed is disabled. Users cannot save files to their own c drives and cannot install programs or modify their IT setup at all."

Hey, is your client the Chinese government??? HAHAHAHAHAHAHAHA

Rodney

Monday 18th January 2010 | 04:20 PM

...in response to this comment by Marvin the Martian. Those conditions are pretty standard, in big business. That client is not alone in treating its staff like that. And considering the 33 companies attacked in this example were similarly large, it's safe to assume they have similar IT policies. Most big companies do.

As for the car analogy, it does hold. You're saying IE6 is less secure than IE8, so people must upgrade now. I am saying that by your logic (i.e. that money should not be a consideration because it's "the cost of doing business") your car is less safe than the latest, so you should upgrade now. You're saying money is irrelevant and I am pointing out money is never irrelevant. Plenty of cars out there are downright unsafe, when compared to the competition and yes, there are *patches* to improve car safety (better seat belts, etc, etc). So the analogy does hold.

In any case, my point has never been that people who can upgrade should not. My point was simply that it's not as easy as you make it out to be. All I was trying to say is that big business doesn't hold off upgrades because they're a bunch-o-tards or because they just really love IE6 - they hold off because they have no compelling reason to change right now that they can get funding approval for. And you still haven't provided one. In your example above, re email attachments, IE has nothing to do with it. Companies don't generally worry about staff googling their names and clicking on just anything because companies have proxy servers and other devices to keep the user at arms length from the nasties. Companies who let "hundreds of staff" access the internet without a proxy server are, shall we say, "rare".

In any case, if you read the (published) details of these hacks, in several cases, the companies were exploited by an Adobe Reader PDF exploit, not an IE6 exploit. A range of exploits were used.

As for Microsoft's behaviour, what would you have them do? They already *do* enforce upgrades by automation. Companies such as the one in my example have to block them - the average Joe is upgraded to IE8 without even knowing it - WindowsUpdate just does it (it's a critical update). What more exactly do you expect them to do?

[Overall, I agree with you and, as a security professional, it drives me absolutely wild when people don't patch and don't update - especially when they cry foul when something has gone wrong. I just wanted to make the point that there are often very good reasons why people cannot do this and the bigger the company, the more likely this is to be the case. The bigger the boat, the longer it will take to turn it around.]

Rodney

Monday 18th January 2010 | 04:22 PM

...in response to this comment by aries. No it's Senator Conroy's office. :-P

Marvin the Martian

Monday 18th January 2010 | 04:52 PM

...in response to this comment by Rodney. What should be done is simple. Stop supporting software that is out-of-date (by that I mean serious beyond its lifecycle) and stop offering pacthes. If there is no way to fix an obvious problem, people will be forced to update to a more secure version (its MS so more secure rather than just secure).

I still beleive the car analogy is false. If I owned a car that had an obvious flaw like spontanious combustion, I would get a better one. If I had a car where the security system was, like MS, just leave the doors and windows open, then I would get a new one. That being said, my problems with your analogy still beg the question.

Car manufacturers have peoples lives in their hands and therfore are held to a higher standard. What we have all become use to with technology is that it breaks and to fix it, you often have to by newer, more up-to-date systems (a generalisation but I think my point is made).

I think we are both in agreement here. People should keep their systems up-to-date at all times. While this will not protect you completely, it is the best defense against intruders.

While I concede that multi-national oranisations typically will have a highly restricted IT setup, it is the 0-500 seat offices I am more concerned with. They are the ones that often fail to limit employee internet activity (i know as I used to be in IT as well). These are the organisations that propogate viruses.

The point still is this:
Keep your computer up-to-date. If your business is developing or ownes software that requires a specific browser to operate - you made the wrong decision. Web-based applications should not require a specific browser (I know since this is what I do now). If it is too expensive to allow for an upgrade of a browser (or simply Adobe Acrobat), then you relied on the wrong provider.

I certainly understand how upgreading an operating system can be far more of an issue, but a browser? Please.

Rodney

Monday 18th January 2010 | 07:49 PM

...in response to this comment by Marvin the Martian. "...The point still is this: Keep your computer up-to-date..."

That's it in a nutshell. It's just a matter of time and cost from then on.