I'm not cross, North Korea, just disappointed.
North Korea hits new low by using Seoul Halloween tragedy to exploit Internet Explorer zero-day
North Korea has hit a new low, using the death of over 150 people to exploit a zero-day flaw in Internet Explorer. Google’s Threat Analysis Group on Wednesday spotted the flaw, CVE-2022-41128, an RCE bug in the JScript9 scripting language engine. Microsoft fixed it in November 2022’s patch dump. But Google says the North …
COMMENTS
-
Thursday 8th December 2022 07:47 GMT Refugee from Windows
Eliminate the zero
Surely the weak link is the now orphaned Internet Explorer. I remember Adobe Flash being killed off, is it time for this to be removed?
Will a Tuesday set of fixes contain a tool to remove it and either point at another browser of your own choice that hasn't been abandoned or install the dreaded Edge.
Its North Korea, they're probably still using IE6 anyway.
-
-
Thursday 8th December 2022 09:58 GMT Binraider
Re: Groundhog day
Backdoors by design, and then also the ones "by accident".
And if those are figured out, launch a new version of an application to make sure some new ones are made available.
Say what you like about DOS, the small size of the attack surface made it much more auditable, and it persists in embedded for this reason. I'm sure I'm not alone in appreciating the benefits of a generic and very compact OS for certain applications.
-
Thursday 8th December 2022 12:23 GMT doublelayer
Re: Groundhog day
"Say what you like about DOS, the small size of the attack surface made it much more auditable, and it persists in embedded for this reason. I'm sure I'm not alone in appreciating the benefits of a generic and very compact OS for certain applications."
Well, I have a lot I'd like to say, so I'll get started.
"the small size of the attack surface": No. The attack surface was small because basically every possible attack was accepted. The OS has no privilege system and lets any program that runs on it do whatever it wants. That's not having a small attack surface. That's having no defenses and pretending they're the same. They're not and nobody knowledgeable would equate the two.
"it persists in embedded for this reason": You don't work in embedded, do you? It does not persist in embedded. It exists in legacy hardware all over the place, but it's not used in new embedded hardware. There are a lot of small embedded OSes. Many are RTOSes which DOS isn't. There are several with security features baked in, and some with a DOS-like no limits systems because they only run the one program. Those things are also both smaller and more auditable (and actively audited) than DOS was. If you scale up, there's embedded Linuxes, some use of BSD, and you sometimes see Windows CE or the later Windows 10 Embedded. The only time you see DOS on a new build is if it has to interact with something old that nobody's going to replace, and such things are expensive and very custom-made.
-
Thursday 8th December 2022 13:26 GMT Binraider
Re: Groundhog day
VXWorks is my thing, most of the time. But I also have a need to talk to quite a lot of positively ancient hardware. Everything from 1940's electro-mechanical monsters, later hard-coded TTL logic; and more contemporary systems in circulation. There's an awful lot of 80's/90's stuff with DOS jammed in there that I can't just replace (because realities of budgets.) - though interestingly the older tech probably mostly have longer asset lifetimes than PC-derived stuff.
Security wise, if physically compromised it makes little difference what OS happens to be there. Proper embedded systems are obviously much more capable of locking down control; but practically speaking IF there is a concern raised about a breaking whether it's new-or-old; one would be immediately reverting the unit to "known good" config from an appropriately controlled source. Practically speaking, the difference between a smaller, simple and very crude system; and a complex one, is for us minimal.
These things aren't networked in the slightest for obvious reasons. One could sales pitch the benefits of it, but the risks that go with it make zero sense.
Different solutions for different problems :-)
-
-
-
-
-
Thursday 8th December 2022 11:48 GMT Anonymous Coward
Don't blame the evil people
From Harry Potter and the Methods of Rationality: "When you do a fault analysis, there's no point in assigning fault to a part of the system you can't change afterward, it's like stepping off a cliff and blaming gravity. Gravity isn't going to change next time. There's no point in trying to allocate responsibility to people who aren't going to alter their actions."
The bad guys are just doing their natural bad-guy stuff, no point blaming them for that, they won't change. We should have better security: now that's a place where assigning responsibility might be useful.
-
Thursday 8th December 2022 12:14 GMT doublelayer
North Korea has hit a new low
If this counts as a new low, you have some weird scales going on. Given the amount of stuff North Korea has done (assassinations with hundreds of civilian casualties and/or biological weapons, one of the largest sets of concentration camps with slavery that's even worse than the normal slavery everyone else has to go through, repeated theft from developing countries that suffer large economic consequences as a result, citizens forced into criminal activity with threats to their families, really boring propaganda that only tells us where King Kim Idiot was last week), it's hard to know what would really lower the bar.
-
Thursday 8th December 2022 13:58 GMT Michael Strorm
Works because South Korea was much more stuck on IE than everyone else
My memory suggested that it was South Korea that had tied a stupidly high percentage of its important Internet sites to IE and that ActiveX (yes, this must have been going back a long way) was involved.
A bit of checking suggests that was broadly correct, and that the original cause dates back to the late 90s when- ironically- South Korea was ahead of its time in requiring encrypted digital certificates for anything previously demanding a signature. But back then this required an ActiveX control, which meant IE-only.
And the fact that IE was needed- and used- for that reason anyway led everyone else to follow when designing their sites.
Hence South Korea remained wedded to IE for years after most of the rest of the world had (*finally*!) moved on.