Tuesday, February 23, 2010
Programmer in China who wrote IE exploit identifed; the history of fix attempts is long
Microsoft issued a patch to Internet Explorer about a week after (in late January) reports that major American software companies had been breached from China. Apparently this was covered by Microsoft Security Bulletin MS10-002 (Critical), knowledge base 978207, and covers several versions of IE. The Microsoft link is here. I found this update installed on my own Dell Vista laptop Jan. 23.
The media reports that the main vulnerability was in IE 6 (which wouldn’t be used as much in corporate sites as later versions, although some companies are not progressive in maintaining updates). Elinor Mills has a story (link) on CNET (among many others in the media Monday) reporting that a specific programmer in China who wrote the exploit code has been identified.
The programmer did not launch the attack, and the circumstantial evidence suggests involvement of China’s government.
I see that I wrote about a quirk in the Microsoft update process here Jan. 23 and about another IE vulnerability (KB 979352) as well as an Adobe vulnerability possibly exploited by Chinese hackers Jan. 15.