back to article Infoseccers think attackers backed by China are behind Ivanti zero-day exploits

Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti. If you're an admin or a user of the two products affected, VPN service Ivanti Connect Secure (ICS) and network access control toolkit Policy Secure, you should immediately apply the …

  1. Mike 137 Silver badge

    "by modifying a JavaScript file used by the Web SSL VPN component of ICS"

    Guess what? Javascript yet again. When will this lethal zero-security language be abandoned?

    1. Yorick Hunt Silver badge

      Re: "by modifying a JavaScript file used by the Web SSL VPN component of ICS"

      There's nothing wrong with the language; the problem lies with the cretins who decide to use it for purposes it wasn't intended for.

      A plastic latch is fine for preventing your toddler from opening kitchen cabinets, but a sane person wouldn't use it as the lock to the front door of their house.

      You would expect an ostensibly high profile (certainly high price) security product provider to have a little more sense, but evidently not.

  2. t245t Silver badge
    Boffin

    Vulnerability in the web component

    An authentication bypass vulnerability in the web component .. A command injection vulnerability in web components

    Using browser protocols on a security device, not a good idea.

    1. MonkeyJuice

      Re: Vulnerability in the web component

      I'd argue that it's more amateur hour code on a security device. It's not the browser protocols to blame, more the overconfidence of your average web drone.

  3. Anonymous Coward
    Anonymous Coward

    could be the

    Axe gang? (to many chinese fight movies)

  4. Anonymous Coward
    Anonymous Coward

    Ivanti shitshow

    This is being handled very poorly by Ivanti. No sign of any patched OS versions, despite a number being meant to have been released this week. They are advising people to upgrade from older point versions to the latest release train, but aren't planning on releasing the patched version of the latest release train until the second wave of patches is released. Arse meet elbow.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like