Tuesday, February 23, 2010

Programmer in China who wrote IE exploit identifed; the history of fix attempts is long


Microsoft issued a patch to Internet Explorer about a week after (in late January) reports that major American software companies had been breached from China. Apparently this was covered by Microsoft Security Bulletin MS10-002 (Critical), knowledge base 978207, and covers several versions of IE. The Microsoft link is here. I found this update installed on my own Dell Vista laptop Jan. 23.

The media reports that the main vulnerability was in IE 6 (which wouldn’t be used as much in corporate sites as later versions, although some companies are not progressive in maintaining updates). Elinor Mills has a story (link) on CNET (among many others in the media Monday) reporting that a specific programmer in China who wrote the exploit code has been identified.


The programmer did not launch the attack, and the circumstantial evidence suggests involvement of China’s government.

I see that I wrote about a quirk in the Microsoft update process here Jan. 23 and about another IE vulnerability (KB 979352) as well as an Adobe vulnerability possibly exploited by Chinese hackers Jan. 15.

No comments: