Slashdot Mirror
Google Researcher Issues How-To On Attacking XP
theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."
exploits a zero-day vulnerability
Zero-Day would mean that Microsoft had zero days to fix it or no time at all to patch the system that had the security vulnerability between the time they release the software to the time the bug goes public. By that definition this would be best described as a "five day exploit" or more in fact if they knew about it before Ormandy's notice.
My work here is dung.
The classic "selling cheap weapons to the neighbouring country".
You can use it too. Instead of smearing your competitor for a raise, give his secrets to one of his subordinates.
He waited five days without even receiving a response from MS. I'd have done the same thing he did.
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
...leverage a flaw in Windows' Help and Support Center...
This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.
Every mans' island needs an ocean; choose your ocean carefully.
Quick, someone make an exploit that installs IE8 or Chrome.
"Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk. One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.
My work here is dung.
If he has only given five days before releasing it into the wile he is recklessly irresponsible. It just shows a person can be intelligent one way and a complete eejit in another. Could he be sued for this by someone who gets infected?
thou discernest my thoughts from afar
"securit experts" that try to convince people that IE is no less safe than FF/Chrome are going to be bothered (even though this attack has nothing to do with browser)
5 days would be enough for an advisory.
How long did MS took to solve some bugs again?!
how long until
IT is now about fuedism not about technology. Google pushes out its drug of choice, and MS is now having to live with a growing public knowledge that for 20+ years its software is garbage. I just find it funny that Google is the one trying to make Microsoft accountable.
I thought there was a big fuss a few years back about how vendors didn't respond to researchers and how they took forever to fix problems with close sourced software. So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.
Seem like this is just standard timing since vendors have gotten in the habit of ignoring researchers and not spending the time and resources to fix problems that they should have tested for in the beginning and most of the time don't want to bother fixing. Historically companies have not wanted to spend manpower and money required to fix program bugs. They more want to fix them when they get around to having the free time a few months later to fix the bugs. After all bug fixes don't make them any money. If I remember correctly there was a quote from Microsoft saying that exact thing. "People don't want bug fixes, they want new features and bells and whistles instead." So if Microsoft really feels that way then this shouldn't bother them at all, since people don't care about having bugs fixed.
The quote was from German weekly magazine FOCUS (nr.43, October 23,1995, pages 206-212). Bill Gates was being interviewed when he made statements to that effect.
If you treat program bugs as a PR issue, then don't be surprised when people use PR against you for bugs you don't want to be bothered to fixed, in a timely manner historically.
Now I can protect myself against this exploit. 5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on. Monthly update cycles are too slow.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
>>Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself.
Didn't see where the Google association was, but judged in isolation it appears to be nothing more than grandstanding since 5 days doesn't seem to be reasonably enough time to respond.
This story would be funny if not for the fact that the Google engineer may have put a lot of computer users, and probably its own customers, at risk in this little game of one-upmanship.
It reminds me of a quote from Robert DeNiro playing Jake LaMotta in the great film Raging Bull by Scorsese. He's sitting at the table of some mobsters who are needling him about the impressiveness of another fighter: "Maybe I'll put da two of ya in the ring together and you can fuck each other".
When two big companies fight it out, one would hope that the consumer would be the beneficiary of their competition, not collateral damage.
You are welcome on my lawn.
I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.
If, for example, you heard about this exploit today, and the same exploit was WTFPWNing computers today, then it is, by definition, a "Zero-day exploit."
It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.
Boot Windows, Linux, and ESX over the network for free.
Is this really 'do no harm'?
I will take "Don't be Evil" for $600 Alex.
I'll try anything once. Twice if it tastes good
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.
I can't wait for Microsoft to release an exploit for gmail - surely no one will be bothered by an exploit that makes everyone's current and past email available?
slashdot troll = you make a compelling argument I do not like the implications of.
Dang, and here I'd al;ways assumed "Zero Day" meant the bug had been there since the day the software was released. Like the bug in the .BMP rasterizer, revealed in 2004, that had been there since Windows 3.0
Who manages the canonical definition of "Zero Day" ?
Missing from the summary is that not only are they documenting the exploit in detail, but they are also providing a hack to patch the hole.
The point of releasing this "Five day exploit" which has been vulnerable for 9 years now (XP was released in 2001) is to point out that Microsoft needs to do a better job responding to security threats and that the closed source model is less robust to these kinds of threats. Had this been open source, they could have simply issued a patch to a mailing list to close the hole.
No compiled software is safe from someone with the means and the motivation to modify it. Having the source code does not make it any easier or harder to exploit, but it does make it easier to patch exploits and allows for more people to examine the code for exploits.
Because he works for google and they will protect him, M$ can't use their massive amounts of money to sway him from talking or slap him with lawsuits....therefor the only thing to do is actually FIX THE BUG!....imagine we live in a world where when we tell a company their product is flawed and even offer a way to reproduce this bug, that they say thank you very much, and fix their product...right away....well I applaud his effort, and think that more people (from google) should all come out with these types of bugs to show that not only are we going to let everybody know about your bug and how to use it, but after giving you a small amount of time to fix it....so you might as well just swallow that pill, put on your coding caps and fix those bugs....
So many exploits come from M$ and have been around for so long that it is nice to see someone (other company) stand up for us and help bring about a safer web/internet for us to play in...
Sorry, just because your arbitrary deadline has passed does not give you right to aid others in harming others computers.
Even the summary needs help here, I really get the impression of a bunch of immature know it all of which that developer who is one. Damn, if I didn't have to put up with this during with five year olds running around...
I warned you!!!! I warned you I was going to do it!!!! See its all your fault.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Imagine if that argument were applied elsewhere.
"Yes ma'am we received your 9-11 call about a house fire, but our city government is so large that we'll need to send a team out to verify there is smoke and heat and that a fire truck is warranted before the actual fire truck can be dispatched"
maybe you should look up what "zero-day" means...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Um sure....
Bug exposes eight years of Linux kernel
It's a bit of a crappy and unreliable exploit to say the least.
For some reason, my up-to-date Opera on XP SP2 just executes VideoLAN to load a (non-existent) JPG instead of the supposed WMP execution -> vulnerability trick that IE is vulnerable to. VLC then just errors out because the hcp:// protocol is obviously nonsense to it. I assume my copy of VLC is somehow associated with opening unknown protocols in Opera.
And in the IE case, WMP executes and then ZoneAlarm (ancient version) pops up and asks if I want Windows Media Player to access the local network. Twice. If I Deny, nothing happens. If I allow (both times), Windows Help and Support Center opens and then another ZA popup asks me to give permission for that too (and that says "Internet" rather than local, which would be blocked by default). If I allow that too, I get a copy of Windows Help and Support Center with a search for the nonsense page and not much else. "Computer Information for \\eval(unescape('Run("calc.exe")'))" is what's literally written inside it, and calc doesn't execute.
My IE, WMP, ZA and Windows Updates on this machine are NOT up to date by any means. The only thing that's up-to-date is Opera. Nothing untoward would have happened under normal usage. So it seems of dubious use at best, it's not a particular killer of a vulnerability.
However, the technical analysis was quite interesting and the problem basically stems from shitty programming at every level - not checking return values that indicate failure, continuing on and then passing arbitrary (and unescaped) strings to other functions, a cross-site scripting error within the Windows Help internals (due to insufficient escaping of data), allowing script execution to happen again on dynamically-generated script code because someone tagged "defer" (a Microsoft-only invention) to a script tag, and finally a way to avoid a security-related prompt on versions of IE, Firefox and Chrome by hiding the very same code inside an iFrame / Object which executes WMP. It's like a catalogue of errors, some of which have been previously reported and well-known for ages. It's just crap all the way down to actual execution of anything you like using wscript. And that's present in XP - a 9-year-old operating system with millions of deployments, Server 2003 and probably a lot of others using non-ancient version of IE, WMP, etc.
Stop whinging Microsoft, and fix this crap. That's been in the OS that millions of people used for **years**, after all your patching and service packs, and you never even spotted it, even when you were the only people with the code to the damn thing. I'm not saying it's easy or you should find everything, but FFS - the problems there just show crappy programming and patchwork all the way to the OS core. That "defer" thing just REEKS of someone saying "But I need a way to bodge this...". Whether it's responsible disclosure or not - fix it first, whinge about their methods later. Where's my response saying when you'll fix it? Where's the estimated patch release date? Where's the hotfix? When you've put those out, you can whinge about them being irresponsible with security. And then they can say "But we're one of your main competitors!" and laugh at you, the same way you would if one of your researchers found a major bug in Google's websites / OS / browser.
Except he doesn't give 5 days. This guy minimizes the amount of time Microsoft has to respond to the issue while trying to stay in the 5 day window.
This just shows how dirty the IT fighting has become ( not that it was ever civil ). And as many have pointed out, even if you don't like Microsoft this affects the XP and 2003 Server users the most.
Sorry, but did you read the article? He got an immediate response.
This guy is clearly trying to meet the 5 day minimum only. Who reports a bug on a Saturday, then goes public first thing the morning of the 5th day?
Does Google Have a Double Standard on Full Disclosure?
This issue has absolutely nothing to do with Google. Google has a strict policy that what you do on your own time and dime is yours. That's why they have a lot of really good security people there who all conduct independent research that's completely unaffiliated with Google. So, to be very clear, Tavis did this entirely on his own. MS mis-framing it as Google (and Slashdot buying it hook line and sinker) is just a smokescreen. Sorry, but you've been suckered.
Do this AFTER you release Chrom[ium] OS. Then users have something to defect to...
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Don't listen to the lies and FUD.
Why do papers insist on printing what MS spokesmen say without the qualifiers?
Note: MS spokesmen are widely known to be both flat-out liars and unabashed FUD machines.
People need to get their facts straight please. Microsoft DOES sit on known issues.
http://www.theregister.co.uk/2010/01/22/aurora_exploit_known_months/
That is just one example of many....
In this case the specific Google engineer discovered a bug, built PoC code to ensure that it existed, and notified Microsoft.
If Microsoft would do its own stinking job and build secure code to begin with, this would not happen. If they checked out their own code, this would not happen. But when independent researchers take the time and effort to do Microsoft's QA work for them, and provide them the information....we get nothing but whining about how they weren't given 'adequate time'. You had the months and years you planned the product release. You had all of the time since the product release. You had 5 days, and probably more, since the engineer was kind enough to provide a detailed description and PoC FREE OF CHARGE. Stop your stinking whining and fix the freaking problem. btw, thanks for doing QA work Google. Some of us appreciate it.
And yet how many times has microsoft "fixed" a vulnerability by band-aiding over *one* instance of an exploit while leaving many other related attack vectors wide open?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
"Google can't have its cake and eat it, too," said Robert Hansen, the CEO of SecTheory .. Hansen, who acknowledged that he has worked for Microsoft as a security consultant on several projects, weighed in again. "The whole thing rubbed me the wrong way," he said.
How do we disable a protocol handler in WinXP?
Tried Googling it, but just got links to security alerts suggesting disabling other handlers.
Huh what now?
That's one very clever Thursday to go publishing attack code. And, even better, it appears to be a special Google Engineer flavour of one!
I was not bothered at all because I do not use Microsoft products and have not for 14 years.
with all the bs fanbois post and the unbelievably naive opinions?
When the users are tired of being damaged because they made a bad choice in products, perhaps they will suck up and make a better choice - same goes double, maybe treble, for administrators, who should know better.
Hate has nothing to do with calling someone a stubborn fool for repeatedly buying something that burns them.
/*
You can test this with a command like so (assuming a recent IE):
C:\> ver
Microsoft Windows XP [Version 5.1.2600]
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url "hcp://system/sysinfo/sysinfomain.htm?svr=<script
defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>"
*/
So that did nothing for me, even with no recent updates in weeks.
Could this mean that when Firefox is set as the default browser and IE is old and unused, this bug is ineffective? I don't think I've used IE in at least 5 years.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
I find it very hard to generate much sympathy for MSFT.
Gee, someone played a dirty trick on them.
While it wasn't nice of Google , I hope they don't stop.
I suggest it is poor communication is to blame.
Did they just email back 'Thank you for your ... your ticket number is 936473'. Chances are their help desks resemble other non-technical help desks staffed by droids.
For the amount of revenue MS gets they should say things like
1) Its logged.
2) Rank the person who reported it - easy to spot a technically good report. Recognized names
3) Within 48 hours tell the person who reported it is confirmed, and ranks whatever on their priority scale - or ask for clarification.
4) say why the fix cant go out now
5) Within 4 days, clearly say what MS is going to DO.
Sorry, give lots of feedback for people who spot buts and provide solutions.
6) Send Beer/Pizza T-Shirt to person who reported it.
None of this arrogant - we'll decide when, if and in our own sweet time , what we are going to do business.
"Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself."
Talk about hyping Google vs Microsoft
"You can make money without doing evil."
Really?
How's that working out for you?
http://www.google.com/intl/en/corporate/tenthings.html
Kriston
Lots of focus on the badness of applying the hotfix... granted this is a valid concern what gets broken by issuing an advisory about the bug? Its not like Microsoft never had a security advisory issued before about some obscure "feature" noone uses.
immediately as a response
cyber war betwen corporations
cool
i want movie rights
A vulnerability that existed before the universe existed.
Your anti-MS post has been duly noted and your AMS points now stand at 1500. 100 more points and you're eligible for the full-size Bill Gates as Borg poster.
Sure, it may have been a little childish to release the information.
His stated reason of 'forcing microsoft to fix it' as they would 'otherwise ignore it' is hard for me to disagree with, however, it's nice to see MS get served. Perhaps if this happened often enough they'd start releasing better software, although Win & so far seems to be showing they are moving in that direction.
Also, he did release a patch with it, and the real question to me is if he knew his patch was flawed or not. As a software developer, I'm willing to give him the benefit of the doubt on that one.
I like the idea of using zero-days to put developers under the gun for their mistakes.
"lt;dr" is the correct response to most of my posts.
Please, get over yourself.
... able to issue a simple SELinux profile fix, the same day, that slapped the exploit around the room like a silly little girl, and also fix the kernel and put it out in the repositories the next day, and ... what? Microsoft doesn't have any SELinux like protection mechanism?? Updates take a MONTH or more???
Probably not the orange you wanted to compare to his apple. He wasn't saying that it having been there for years was the issue, but that them not being able to rapidly roll out protections or a fix is the issue. 5 days is an eternity.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
"Would've" might sound like "would of", but as the ve indicate, it is a contraction for WOULD HAVE.
More importantly, it makes sense for someone TO HAVE DONE something.
It does not make sense for someone TO OF DONE something.
Is this an exploit that Norton Antivirus (for example) is unable to protect you from? So, for persons with antivirus software and internet security software, do they still need to be afraid of injected malware without being detected? I doubt it.
-- Betting on the survival of the media industry is a serious risk. I advise investing elsewhere.
And yet how many times has microsoft "fixed" a vulnerability by band-aiding over *one* instance of an exploit while leaving many other related attack vectors wide open?
As far as I know, zero.
Why don't you put your money where your mouth is and show otherwise?
Comment of the year
It's highly probable that this bug will get fixed, unlike the who-knows-how-many others which languish in the "pipeline" to get fixed. With Microsoft's cash on hand they can easily assign teams to give much better turn around. Five days does not seem out of the question considering their resources.
You assumed incorrectly.
If you mod me down, I shall become more powerful than you could possibly imagine.
The book you point out is based on the principle that you can't accelerate a project by throwing more people at it, because :
- these new comers will need to get trained (takes lots of time, resource and slows down the rest of the veteran team who now have to train in addition to develop)
- the bigger the group, the bigger the communication problems.
What we wanted to point out is that, as a seller of paid-for software who has significant monetary resources (and who regularily points out in its marketing material that paid-for software is supposed to have better support because it is paid for), microsoft is probably already having a huge team with already lots of man-power, already trained for their job, and already using a more or less efficient communication method. These team *should* have the resource to analyse the threat and respond accordingly, specially given the fact that the bug is not only well documented, but that the guy even provided his own fix as an example. They *should* have been able to analyse and test this and deploy an official fix within 5 days.
We are not advocating hiring more coders (which would have failed due to the man-month problems). We are wondering why microsoft didn't put at work the teams THEY ALREADY HAD and which ARE SUPPOSED TO DO EXACTLY THAT (which should theoretically succeed given that these teams are supposed to be good at that work)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Wow!! Can I get a poster, too? Here's my contribution:
This story will make money for Microsoft, by getting people to buy Windows 7.
Windows 7, in my opinion, is sloppy. The right thing is to wait for at least service pack 2.
that this bug is most likely known by most private "black-hat" operations whose sole revenue is derived from illegal covert IT intrusion operations? I think a small fire under MSFT ass is a good thing. I am sure there were many people out there that used this vulnerability that are now a little pissed off that a useful "tool" of theirs will soon be patched. Just my 2 cents.
Cheers.
Unless you are running a well-designed web proxy that filters active content, chances are pretty high that someone has already created an undetected piece of malware for targeted attacks. The heuristic detection of anti-virus products is obviously beatable because otherwise the vendors wouldn't need to update any malware signatures. Malware heuristics have to work in a rather conservative way if you don't want to get false positives all the time. Quite a number of useful applications share characteristics with viruses or malware.
1. Copy protection & DRM schemes:
Copy protection is probably the most vicious "useful" software that doesn't trigger anti-virus heuristics. Some of those programs lurk deep inside the operating system, using drivers, encrypted binaries, self-modifying code, anti-debugging techniques.
2. Debuggers - can attach themselves to running programs, modifying data & code.
3. Game recorders. 3D video recording software "injects" code into the running game executable or hooks system calls to intercept OpenGL/DirectX rendering functions. Malware might attach itself to a windows system process using the same or similar techniques.
As you, as an anti-virus vendor, don't want to annoy the users with false positives of any of the aforementioned applications, it becomes clear that there are most likely a lot of ways to circumvent the heuristics.
--
Not related to your post but the topic:
I for one know about one large corporation that still uses thousands of Windows XP(-32) machines with Internet Explorer as the only allowed browser. They do force all traffic through a web proxy that filters quite aggressively but naturally leaves all HTTPS traffic unchecked. Once you know what anti-virus solution they're using, NOD32 in this particular case, it's most likely very easy to get into their network until Microsoft publishes a fix for this problem.