Slashdot Mirror
Google Researcher Issues How-To On Attacking XP
theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."
exploits a zero-day vulnerability
Zero-Day would mean that Microsoft had zero days to fix it or no time at all to patch the system that had the security vulnerability between the time they release the software to the time the bug goes public. By that definition this would be best described as a "five day exploit" or more in fact if they knew about it before Ormandy's notice.
My work here is dung.
The classic "selling cheap weapons to the neighbouring country".
You can use it too. Instead of smearing your competitor for a raise, give his secrets to one of his subordinates.
He waited five days without even receiving a response from MS. I'd have done the same thing he did.
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
...leverage a flaw in Windows' Help and Support Center...
This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.
Every mans' island needs an ocean; choose your ocean carefully.
Quick, someone make an exploit that installs IE8 or Chrome.
"Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk. One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.
My work here is dung.
If he has only given five days before releasing it into the wile he is recklessly irresponsible. It just shows a person can be intelligent one way and a complete eejit in another. Could he be sued for this by someone who gets infected?
thou discernest my thoughts from afar
"securit experts" that try to convince people that IE is no less safe than FF/Chrome are going to be bothered (even though this attack has nothing to do with browser)
5 days would be enough for an advisory.
How long did MS took to solve some bugs again?!
how long until
I thought there was a big fuss a few years back about how vendors didn't respond to researchers and how they took forever to fix problems with close sourced software. So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.
Seem like this is just standard timing since vendors have gotten in the habit of ignoring researchers and not spending the time and resources to fix problems that they should have tested for in the beginning and most of the time don't want to bother fixing. Historically companies have not wanted to spend manpower and money required to fix program bugs. They more want to fix them when they get around to having the free time a few months later to fix the bugs. After all bug fixes don't make them any money. If I remember correctly there was a quote from Microsoft saying that exact thing. "People don't want bug fixes, they want new features and bells and whistles instead." So if Microsoft really feels that way then this shouldn't bother them at all, since people don't care about having bugs fixed.
The quote was from German weekly magazine FOCUS (nr.43, October 23,1995, pages 206-212). Bill Gates was being interviewed when he made statements to that effect.
If you treat program bugs as a PR issue, then don't be surprised when people use PR against you for bugs you don't want to be bothered to fixed, in a timely manner historically.
Now I can protect myself against this exploit. 5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on. Monthly update cycles are too slow.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
>>Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself.
Didn't see where the Google association was, but judged in isolation it appears to be nothing more than grandstanding since 5 days doesn't seem to be reasonably enough time to respond.
This story would be funny if not for the fact that the Google engineer may have put a lot of computer users, and probably its own customers, at risk in this little game of one-upmanship.
It reminds me of a quote from Robert DeNiro playing Jake LaMotta in the great film Raging Bull by Scorsese. He's sitting at the table of some mobsters who are needling him about the impressiveness of another fighter: "Maybe I'll put da two of ya in the ring together and you can fuck each other".
When two big companies fight it out, one would hope that the consumer would be the beneficiary of their competition, not collateral damage.
You are welcome on my lawn.
I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.
If, for example, you heard about this exploit today, and the same exploit was WTFPWNing computers today, then it is, by definition, a "Zero-day exploit."
It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.
Boot Windows, Linux, and ESX over the network for free.
Is this really 'do no harm'?
I will take "Don't be Evil" for $600 Alex.
I'll try anything once. Twice if it tastes good
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.
I can't wait for Microsoft to release an exploit for gmail - surely no one will be bothered by an exploit that makes everyone's current and past email available?
slashdot troll = you make a compelling argument I do not like the implications of.
Dang, and here I'd al;ways assumed "Zero Day" meant the bug had been there since the day the software was released. Like the bug in the .BMP rasterizer, revealed in 2004, that had been there since Windows 3.0
Who manages the canonical definition of "Zero Day" ?
Missing from the summary is that not only are they documenting the exploit in detail, but they are also providing a hack to patch the hole.
The point of releasing this "Five day exploit" which has been vulnerable for 9 years now (XP was released in 2001) is to point out that Microsoft needs to do a better job responding to security threats and that the closed source model is less robust to these kinds of threats. Had this been open source, they could have simply issued a patch to a mailing list to close the hole.
No compiled software is safe from someone with the means and the motivation to modify it. Having the source code does not make it any easier or harder to exploit, but it does make it easier to patch exploits and allows for more people to examine the code for exploits.
Imagine if that argument were applied elsewhere.
"Yes ma'am we received your 9-11 call about a house fire, but our city government is so large that we'll need to send a team out to verify there is smoke and heat and that a fire truck is warranted before the actual fire truck can be dispatched"
maybe you should look up what "zero-day" means...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Um sure....
Bug exposes eight years of Linux kernel
However he does have the right to provide others the information they need to secure (or evaluate retirement of) their computers.
Which is the same thing...
blog.sam.liddicott.com
It's a bit of a crappy and unreliable exploit to say the least.
For some reason, my up-to-date Opera on XP SP2 just executes VideoLAN to load a (non-existent) JPG instead of the supposed WMP execution -> vulnerability trick that IE is vulnerable to. VLC then just errors out because the hcp:// protocol is obviously nonsense to it. I assume my copy of VLC is somehow associated with opening unknown protocols in Opera.
And in the IE case, WMP executes and then ZoneAlarm (ancient version) pops up and asks if I want Windows Media Player to access the local network. Twice. If I Deny, nothing happens. If I allow (both times), Windows Help and Support Center opens and then another ZA popup asks me to give permission for that too (and that says "Internet" rather than local, which would be blocked by default). If I allow that too, I get a copy of Windows Help and Support Center with a search for the nonsense page and not much else. "Computer Information for \\eval(unescape('Run("calc.exe")'))" is what's literally written inside it, and calc doesn't execute.
My IE, WMP, ZA and Windows Updates on this machine are NOT up to date by any means. The only thing that's up-to-date is Opera. Nothing untoward would have happened under normal usage. So it seems of dubious use at best, it's not a particular killer of a vulnerability.
However, the technical analysis was quite interesting and the problem basically stems from shitty programming at every level - not checking return values that indicate failure, continuing on and then passing arbitrary (and unescaped) strings to other functions, a cross-site scripting error within the Windows Help internals (due to insufficient escaping of data), allowing script execution to happen again on dynamically-generated script code because someone tagged "defer" (a Microsoft-only invention) to a script tag, and finally a way to avoid a security-related prompt on versions of IE, Firefox and Chrome by hiding the very same code inside an iFrame / Object which executes WMP. It's like a catalogue of errors, some of which have been previously reported and well-known for ages. It's just crap all the way down to actual execution of anything you like using wscript. And that's present in XP - a 9-year-old operating system with millions of deployments, Server 2003 and probably a lot of others using non-ancient version of IE, WMP, etc.
Stop whinging Microsoft, and fix this crap. That's been in the OS that millions of people used for **years**, after all your patching and service packs, and you never even spotted it, even when you were the only people with the code to the damn thing. I'm not saying it's easy or you should find everything, but FFS - the problems there just show crappy programming and patchwork all the way to the OS core. That "defer" thing just REEKS of someone saying "But I need a way to bodge this...". Whether it's responsible disclosure or not - fix it first, whinge about their methods later. Where's my response saying when you'll fix it? Where's the estimated patch release date? Where's the hotfix? When you've put those out, you can whinge about them being irresponsible with security. And then they can say "But we're one of your main competitors!" and laugh at you, the same way you would if one of your researchers found a major bug in Google's websites / OS / browser.
Actually, if the manufacturer doesn't fix it by that time, maybe you're doing more harm if you help them hiding the vulnerability. Now people at least know it's there, and maybe even fix it, or at least workaround it.
If he didn't disclose, what would be the chances noone else found out about this same vulnerability? Well, some cracker could eventually find this and do bad things...
Except for script kiddies, XP is not less secure than it was before the disclose, it's only the false belief of security that looses.
Maybe this is indeed part of a war, but it's less than a Microsoft vs. Google war and more of a Security Through Obscurity vs. No Obscurity war.
Except he doesn't give 5 days. This guy minimizes the amount of time Microsoft has to respond to the issue while trying to stay in the 5 day window.
This just shows how dirty the IT fighting has become ( not that it was ever civil ). And as many have pointed out, even if you don't like Microsoft this affects the XP and 2003 Server users the most.
You might want to pick a subject you know a little about before pontificating. Tavis Ormandy has reported dozens of critical security vulnerabilities to Microsoft and others. Just search for "Tavis Ormandy Windows kernel vulnerability" to get some of his top finds. And in these previous cases you can compare the report and disclosure dates to see that he's waited several months, or in some cases more than a year for the patch release. If you actually read Tavis' disclosure and note the trivial nature of this bug, you'll see that he just got sick of waiting on Microsoft's extremely long fix pipeline, and chose this as an opportunity to push back.
Now, I'm not saying I agree with Tavis' actions here, but the actual situation bears no resemblance to your uninformed framing.
Sorry, but did you read the article? He got an immediate response.
This guy is clearly trying to meet the 5 day minimum only. Who reports a bug on a Saturday, then goes public first thing the morning of the 5th day?
Does Google Have a Double Standard on Full Disclosure?
This issue has absolutely nothing to do with Google. Google has a strict policy that what you do on your own time and dime is yours. That's why they have a lot of really good security people there who all conduct independent research that's completely unaffiliated with Google. So, to be very clear, Tavis did this entirely on his own. MS mis-framing it as Google (and Slashdot buying it hook line and sinker) is just a smokescreen. Sorry, but you've been suckered.
Do this AFTER you release Chrom[ium] OS. Then users have something to defect to...
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
And yet how many times has microsoft "fixed" a vulnerability by band-aiding over *one* instance of an exploit while leaving many other related attack vectors wide open?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Huh what now?
That's one very clever Thursday to go publishing attack code. And, even better, it appears to be a special Google Engineer flavour of one!
I was not bothered at all because I do not use Microsoft products and have not for 14 years.
You're right; the deadline has nothing to do with it. Anyone has every right to publicly release exploit information as soon as he or she discovers it, without informing anyone in advance.
As a practical matter, the policy your post implies -- that one should never publicly release exploit information -- has been tried. It usually results in the bug simply not being fixed.
/*
You can test this with a command like so (assuming a recent IE):
C:\> ver
Microsoft Windows XP [Version 5.1.2600]
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url "hcp://system/sysinfo/sysinfomain.htm?svr=<script
defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>"
*/
So that did nothing for me, even with no recent updates in weeks.
Could this mean that when Firefox is set as the default browser and IE is old and unused, this bug is ineffective? I don't think I've used IE in at least 5 years.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
I find it very hard to generate much sympathy for MSFT.
Gee, someone played a dirty trick on them.
While it wasn't nice of Google , I hope they don't stop.
Lots of focus on the badness of applying the hotfix... granted this is a valid concern what gets broken by issuing an advisory about the bug? Its not like Microsoft never had a security advisory issued before about some obscure "feature" noone uses.
A vulnerability that existed before the universe existed.
i'll complete it.
7) ???
8) Profit!
Wealth is the gift that keeps on giving.
Your anti-MS post has been duly noted and your AMS points now stand at 1500. 100 more points and you're eligible for the full-size Bill Gates as Borg poster.
Sure, it may have been a little childish to release the information.
His stated reason of 'forcing microsoft to fix it' as they would 'otherwise ignore it' is hard for me to disagree with, however, it's nice to see MS get served. Perhaps if this happened often enough they'd start releasing better software, although Win & so far seems to be showing they are moving in that direction.
Also, he did release a patch with it, and the real question to me is if he knew his patch was flawed or not. As a software developer, I'm willing to give him the benefit of the doubt on that one.
I like the idea of using zero-days to put developers under the gun for their mistakes.
"lt;dr" is the correct response to most of my posts.
Spot on, it seems like the main reason he released the details of this so quickly is that he's reported issues and exploits in the past which have gone unfixed for many months. A company with such a bad reputation for exactly this kind of thing should be going out of their way to make sure exploits are reported to them immediately and that they let the reporters know what an important job they're doing and how MS are handling the situation. Sometimes I guess the impression MS are actually happy with their reputation for lax security - it wouldn't surprise me to learn that they did a cost/benefit analysis of being seen as insecure (and losing some sales because of that) vs. spending money to be seen as secure (and gaining sales accordingly) and just came to the conclusion, "screw it, it's not worth the money".
Please, get over yourself.
... able to issue a simple SELinux profile fix, the same day, that slapped the exploit around the room like a silly little girl, and also fix the kernel and put it out in the repositories the next day, and ... what? Microsoft doesn't have any SELinux like protection mechanism?? Updates take a MONTH or more???
Probably not the orange you wanted to compare to his apple. He wasn't saying that it having been there for years was the issue, but that them not being able to rapidly roll out protections or a fix is the issue. 5 days is an eternity.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
"Would've" might sound like "would of", but as the ve indicate, it is a contraction for WOULD HAVE.
More importantly, it makes sense for someone TO HAVE DONE something.
It does not make sense for someone TO OF DONE something.
Is this an exploit that Norton Antivirus (for example) is unable to protect you from? So, for persons with antivirus software and internet security software, do they still need to be afraid of injected malware without being detected? I doubt it.
-- Betting on the survival of the media industry is a serious risk. I advise investing elsewhere.
And yet how many times has microsoft "fixed" a vulnerability by band-aiding over *one* instance of an exploit while leaving many other related attack vectors wide open?
As far as I know, zero.
Why don't you put your money where your mouth is and show otherwise?
Comment of the year
You assumed incorrectly.
If you mod me down, I shall become more powerful than you could possibly imagine.
The book you point out is based on the principle that you can't accelerate a project by throwing more people at it, because :
- these new comers will need to get trained (takes lots of time, resource and slows down the rest of the veteran team who now have to train in addition to develop)
- the bigger the group, the bigger the communication problems.
What we wanted to point out is that, as a seller of paid-for software who has significant monetary resources (and who regularily points out in its marketing material that paid-for software is supposed to have better support because it is paid for), microsoft is probably already having a huge team with already lots of man-power, already trained for their job, and already using a more or less efficient communication method. These team *should* have the resource to analyse the threat and respond accordingly, specially given the fact that the bug is not only well documented, but that the guy even provided his own fix as an example. They *should* have been able to analyse and test this and deploy an official fix within 5 days.
We are not advocating hiring more coders (which would have failed due to the man-month problems). We are wondering why microsoft didn't put at work the teams THEY ALREADY HAD and which ARE SUPPOSED TO DO EXACTLY THAT (which should theoretically succeed given that these teams are supposed to be good at that work)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
just because your arbitrary deadline has passed does not give you right to aid others in harming others computers.
MS created the bug, not the google researcher. He gave them five days to fix it. Who knows how long this bug has been letting hackers attack your system? Five days is long enough to fix it. MS just didn't take it seriously.
Unless you are running a well-designed web proxy that filters active content, chances are pretty high that someone has already created an undetected piece of malware for targeted attacks. The heuristic detection of anti-virus products is obviously beatable because otherwise the vendors wouldn't need to update any malware signatures. Malware heuristics have to work in a rather conservative way if you don't want to get false positives all the time. Quite a number of useful applications share characteristics with viruses or malware.
1. Copy protection & DRM schemes:
Copy protection is probably the most vicious "useful" software that doesn't trigger anti-virus heuristics. Some of those programs lurk deep inside the operating system, using drivers, encrypted binaries, self-modifying code, anti-debugging techniques.
2. Debuggers - can attach themselves to running programs, modifying data & code.
3. Game recorders. 3D video recording software "injects" code into the running game executable or hooks system calls to intercept OpenGL/DirectX rendering functions. Malware might attach itself to a windows system process using the same or similar techniques.
As you, as an anti-virus vendor, don't want to annoy the users with false positives of any of the aforementioned applications, it becomes clear that there are most likely a lot of ways to circumvent the heuristics.
--
Not related to your post but the topic:
I for one know about one large corporation that still uses thousands of Windows XP(-32) machines with Internet Explorer as the only allowed browser. They do force all traffic through a web proxy that filters quite aggressively but naturally leaves all HTTPS traffic unchecked. Once you know what anti-virus solution they're using, NOD32 in this particular case, it's most likely very easy to get into their network until Microsoft publishes a fix for this problem.