Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Researcher Issues How-To On Attacking XP

Posted by timothy on from the now-get-to-the-next-phone-booth dept.

theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."

26 of 348 comments (clear)

  1. War by Thanshin · · Score: 2, Insightful

    The classic "selling cheap weapons to the neighbouring country".

    You can use it too. Instead of smearing your competitor for a raise, give his secrets to one of his subordinates.

  2. Negative. by Anonymous Coward · · Score: 5, Insightful

    He waited five days without even receiving a response from MS. I'd have done the same thing he did.

    1. Re:Negative. by SanityInAnarchy · · Score: 4, Insightful

      Microsoft was informed about this vulnerability on 5-Jun-2010, and they confirmed receipt of my report on the same day.

      So they did respond. They just didn't fix it in five days:

      Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.

      That's what he was complaining about, and I think it's a legitimate complaint.

      --
      Don't thank God, thank a doctor!
  3. Do no evil by +Addict-09+ · · Score: 1, Insightful

    Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

    1. Re:Do no evil by Anonymous Coward · · Score: 3, Insightful

      Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

      Yeah yeah. Apart from the the guy not actually doing this as a Google employee;

      "Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself."

      And the fact that Google, Apple and everyone else have got a long way to go before they approach the utter moral bankruptcy required for the likes of the Halloween documents, the derailment of OLPC, the ODF/OOXML fiasco and so on.

    2. Re:Do no evil by gad_zuki! · · Score: 5, Insightful

      >Whatever it takes to damage Microsoft is okay with me.

      This doesnt punish MS, it punishes end users and admins. Sadly, this fact doesnt matter to those who are just full of MS hate.

    3. Re:Do no evil by master_p · · Score: 4, Insightful

      It only punishes end users and admins in the short term. When these people are fed up with Microsoft, they will turn elsewhere, and then Microsoft will be hurt.

  4. Irresponsible by dmcq · · Score: 2, Insightful

    If he has only given five days before releasing it into the wile he is recklessly irresponsible. It just shows a person can be intelligent one way and a complete eejit in another. Could he be sued for this by someone who gets infected?

    --
    thou discernest my thoughts from afar
    1. Re:Irresponsible by axl917 · · Score: 5, Insightful

      Could he be sued for this by someone who gets infected?

      Don't be stupid. It isn't the messenger's fault.

    2. Re:Irresponsible by hey! · · Score: 2, Insightful

      It depends on the nature of Microsoft's response. Consider the following:

      (a)"Thanks, this looks serious. We've got a team looking into it now, but we've found some difficulties with your suggested fix. If you don't see a security patch in the next several days, don't be alarmed. A patch is coming soon, but we don't want to release a fix that creates more problems. We'd appreciate it if you kept this under your hat while we're working on this. We'll be sure to credit you with finding this problem when the patch comes out. Feel free to call my cell at xxx-xxx-xxxx if you have any questions."

      (b)"Thank you for your interest in the
            [ ] aesthetics
            [ ] features
            [ ] performance
            [x] security
      of Microsoft Windows, the most
            [ ] good looking
            [ ] comprehensive
            [ ] powerful
            [x] safe
      operating system on the market. We get more suggestions for improving Windows than we can respond to personally, but your input is important to us. With your help, we will make the next release of Windows
            [ ] more beautiful
            [ ] more useful
            [ ] faster
            [x] more secure
      than ever."

      If it is (b), I'd release the details too, although I'd wait longer than five days, and I'd give them a heads-up that I was announcing.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  5. Re:Microsoft's Official Response by hedwards · · Score: 3, Insightful

    Ah, the security blanket approach. If they can't see me I'm not vulnerable.

  6. Thanks Google by AmiMoJo · · Score: 2, Insightful

    Now I can protect myself against this exploit. 5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on. Monthly update cycles are too slow.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Thanks Google by Anonymous Coward · · Score: 5, Insightful

      5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on.

      You live in a dream world. Yes, 5 days is fine if you have a non-os product that isn't part of an ecosystem with millions of applications running on it. For example to patch something like a text editor - 5 days is probably enough. But a responsible company with millions of installs (Microsoft, Apple) isn't going to rush something out that would break more than it fixes. That would be stupid.

    2. Re:Thanks Google by Xest · · Score: 4, Insightful

      That depends on the company.

      Sure some companies don't give a fuck about incompatability caused by updates and that sort of thing, however MS very much does.

      Further, as they have such a large share of the desktop and server market that depends on working it would be irresponsible of them to throw out a patch in a mere 5 days that can't have been fully tested with countless configurations and ended up causing more harm to customers machines than if they'd just not bothered to patch at all.

      You can't reasonably build and test a patch that has minimal effect on your customer base in 5 days when your customer base is as large and varied as Microsoft's.

    3. Re:Thanks Google by tajribah · · Score: 3, Insightful

      It may seem that so, but the reality seems to disagree. Most Linux distributions release security updates within a day or two after the vulnerability is announced and while I maintain dozens of Linux machines, I had witnessed a security update breaking something at most once. On the other hand, I have seen problems caused by Windows updates countless times.

  7. Zero days notice by RulerOf · · Score: 4, Insightful

    I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.

    If, for example, you heard about this exploit today, and the same exploit was WTFPWNing computers today, then it is, by definition, a "Zero-day exploit."

    It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.

    --
    Boot Windows, Linux, and ESX over the network for free.
    1. Re:Zero days notice by bsDaemon · · Score: 2, Insightful

      I always assumed it to mean that the day the software is released, an exploit is found -- kind of like a zero-day crack to pirate software. Apparently I was wrong, and it means whatever the article author needs it to mean in order to sound as bad and scary as possible like "z0mg! we have zero days before the end of the world!"

  8. Re:I Don't Think Zero-Day Means What You Think by richlv · · Score: 2, Insightful

    i'm sorry, but that's the first time when i hear such a definition, and i'm sorry again, but it's completely silly.
    what's the "zero" in there, what's the "day" ?

    two definitions that at least make sense -
    * vendor had no time to patch it;
    * there was no public information beforehand.

    these are a bit similar, as you just redefine who had or had not information on the problem.

    --
    Rich
  9. Re:They did no evil by gad_zuki! · · Score: 4, Insightful

    Im sure his hotfix and one man testing matches MS's extensive testing. Seriously, do you think any company would just release this fix immediately without serious testing?

  10. Missing from the summary by Photo_Nut · · Score: 3, Insightful

    Missing from the summary is that not only are they documenting the exploit in detail, but they are also providing a hack to patch the hole.

    The point of releasing this "Five day exploit" which has been vulnerable for 9 years now (XP was released in 2001) is to point out that Microsoft needs to do a better job responding to security threats and that the closed source model is less robust to these kinds of threats. Had this been open source, they could have simply issued a patch to a mailing list to close the hole.

    No compiled software is safe from someone with the means and the motivation to modify it. Having the source code does not make it any easier or harder to exploit, but it does make it easier to patch exploits and allows for more people to examine the code for exploits.

    1. Re:Missing from the summary by Texodore · · Score: 3, Insightful

      I know that if I'm running Linux, I'm going to immediately take code off a mailing list, compile it in my kernel, and feel comfortable.

      Had this been open source, everyone would wait for a patch just like they are from Microsoft. It will almost definitely be quicker, but the mailing list idea is just absurd.

  11. Re:Raging Bull by tajribah · · Score: 2, Insightful

    Sorry, but it seems that you are a little bit confused about the real cause. First of all, the blame lies on MS for creating the bug. Secondly, a responsible vendor should fix a security hole as quickly as possible, because security bugs are rarely discovered by a single person only. It is highly probable that the same bug is already being expoited by the black hat hackers in the wild. Five days is more than enough for the vast majority of security problems and delaying the fix is completely irresponsible. IMHO, MS should stop complaining and fix their processes instead.

    In addition to that, it seems that MS has never replied to the researcher. Responsible vendors do that and they even cooperate with the researchers on the possible fixes. Most researchers treat such vendors very respectfully, but they hardly have any understanding for vendors who expect that they can delay security fixes for months and ignore the input from the security community.

  12. Re:They did no evil by 228e2 · · Score: 2, Insightful

    Hahahahahahaha.

    Really? You think MS (or any company near their size) would use submitted code as a starting point? Geez, I understand the dislike for MS, but lets use sound reasoning please.

    --
    Since when does being a Socialist mean 'someone who has a different opinion than me'?
  13. Re:I Don't Think Zero-Day Means What You Think by dieth · · Score: 3, Insightful

    Wrong again, Zero-day refers to the amount of time that the bug/vulnerability has been disclosed to the public, not patch. It is still possible to secure your system with just the knowledge of how the attack is reaching you.

  14. Re:Oh not the we're to big to fix it defense by VGPowerlord · · Score: 3, Insightful

    You are aware that said code was submitted to Microsoft by someone who works for what is currently Microsoft's biggest competitor, whom they are currently in a 3-front war with (Browser, Search Engine, Netbook OS)?

    This is a moot point, though: Google could later claim copyright over said code and sue Microsoft over it. Something that doesn't apply to your fire analogy.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  15. Sympathy??? by baomike · · Score: 1, Insightful

    I find it very hard to generate much sympathy for MSFT.
    Gee, someone played a dirty trick on them.

    While it wasn't nice of Google , I hope they don't stop.