Slashdot Mirror
Google Researcher Issues How-To On Attacking XP
theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."
He waited five days without even receiving a response from MS. I'd have done the same thing he did.
Ah, the security blanket approach. If they can't see me I'm not vulnerable.
Could he be sued for this by someone who gets infected?
Don't be stupid. It isn't the messenger's fault.
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
Yeah yeah. Apart from the the guy not actually doing this as a Google employee;
"Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself."
And the fact that Google, Apple and everyone else have got a long way to go before they approach the utter moral bankruptcy required for the likes of the Halloween documents, the derailment of OLPC, the ODF/OOXML fiasco and so on.
I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.
If, for example, you heard about this exploit today, and the same exploit was WTFPWNing computers today, then it is, by definition, a "Zero-day exploit."
It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.
Boot Windows, Linux, and ESX over the network for free.
5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on.
You live in a dream world. Yes, 5 days is fine if you have a non-os product that isn't part of an ecosystem with millions of applications running on it. For example to patch something like a text editor - 5 days is probably enough. But a responsible company with millions of installs (Microsoft, Apple) isn't going to rush something out that would break more than it fixes. That would be stupid.
That depends on the company.
Sure some companies don't give a fuck about incompatability caused by updates and that sort of thing, however MS very much does.
Further, as they have such a large share of the desktop and server market that depends on working it would be irresponsible of them to throw out a patch in a mere 5 days that can't have been fully tested with countless configurations and ended up causing more harm to customers machines than if they'd just not bothered to patch at all.
You can't reasonably build and test a patch that has minimal effect on your customer base in 5 days when your customer base is as large and varied as Microsoft's.
It may seem that so, but the reality seems to disagree. Most Linux distributions release security updates within a day or two after the vulnerability is announced and while I maintain dozens of Linux machines, I had witnessed a security update breaking something at most once. On the other hand, I have seen problems caused by Windows updates countless times.
Im sure his hotfix and one man testing matches MS's extensive testing. Seriously, do you think any company would just release this fix immediately without serious testing?
Missing from the summary is that not only are they documenting the exploit in detail, but they are also providing a hack to patch the hole.
The point of releasing this "Five day exploit" which has been vulnerable for 9 years now (XP was released in 2001) is to point out that Microsoft needs to do a better job responding to security threats and that the closed source model is less robust to these kinds of threats. Had this been open source, they could have simply issued a patch to a mailing list to close the hole.
No compiled software is safe from someone with the means and the motivation to modify it. Having the source code does not make it any easier or harder to exploit, but it does make it easier to patch exploits and allows for more people to examine the code for exploits.
>Whatever it takes to damage Microsoft is okay with me.
This doesnt punish MS, it punishes end users and admins. Sadly, this fact doesnt matter to those who are just full of MS hate.
Wrong again, Zero-day refers to the amount of time that the bug/vulnerability has been disclosed to the public, not patch. It is still possible to secure your system with just the knowledge of how the attack is reaching you.
It only punishes end users and admins in the short term. When these people are fed up with Microsoft, they will turn elsewhere, and then Microsoft will be hurt.
You are aware that said code was submitted to Microsoft by someone who works for what is currently Microsoft's biggest competitor, whom they are currently in a 3-front war with (Browser, Search Engine, Netbook OS)?
This is a moot point, though: Google could later claim copyright over said code and sue Microsoft over it. Something that doesn't apply to your fire analogy.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011