Zero-Day Exploit in Internet Explorer 8 Used To Access Nuclear Information

84

Whenever I read a headline that shows a company using very outdated software or hardware has been hacked; I find myself wondering if the people responsible for their IT and Finance departments are looking for new jobs. When it is a government agency it makes things even worse. Friday May 3rd I think things hit a peak as it has been revealed that nuclear researchers at the US Department of Energy had their computers compromised.

Now any compromise of system used by people researching nuclear power and/or nuclear weapons is bad. There is just no way around that one, however when the compromise is because the systems in use were outdated and running old (very old) software it is almost inexcusable. The computers in question were running Microsoft Windows XP and Internet Explorer 8. IE8 was replaced two years ago and XP is well over 10 years old. To find sensitive government research systems running this is embarrassing.  

If you think this is bad well there is more to the story. Apparently the method of infection was through a compromised US Department of Labor Website. Who is running the IT at these places; The Marx Brothers? The hacker group is believed to be a Chinese group called DeepPanda they compromised the DoL site which then forced visitors through a series of redirects which ended up installing a heavily modified version of the Poison Ivy Malware. The modifications to the Trojan were enough to mask it from all but 2 major anti-virus scanners at the time. As of this writing an additional 4 can detect the new malware but that leaves some 36 out of the game.

Microsoft has come out and admitted that this is a real flaw, but have clarified that it only affected IE 8. People using other versions of Internet Explorer are ok. Microsoft recommends upgrading to IE 9 or 10 to prevent this attack. They also have instructions for mitigating the attack if you are unable or unwilling to upgrade. However, this does not absolve Microsoft from missing this rather critical bug in IE8. We can fault companies for not upgrading and patching their systems and certainly the malicious individuals that perpetrated the attack, but we must also fault Microsoft for letting this one slip through the QA process.


When did things change to where home users are often more up-to-date and protected than large multi-million dollar corporations and government agencies? Considering technologies like Windows Server Update Service and others I am not sure how these things keep slipping through unless it really is just incompetence.

Tell us what you think of this in our Forum

No comments

Leave your comment

In reply to Some User