Slashdot Mirror
Google Researcher Issues How-To On Attacking XP
theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."
exploits a zero-day vulnerability
Zero-Day would mean that Microsoft had zero days to fix it or no time at all to patch the system that had the security vulnerability between the time they release the software to the time the bug goes public. By that definition this would be best described as a "five day exploit" or more in fact if they knew about it before Ormandy's notice.
My work here is dung.
The classic "selling cheap weapons to the neighbouring country".
You can use it too. Instead of smearing your competitor for a raise, give his secrets to one of his subordinates.
He waited five days without even receiving a response from MS. I'd have done the same thing he did.
...leverage a flaw in Windows' Help and Support Center...
This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.
Every mans' island needs an ocean; choose your ocean carefully.
Quick, someone make an exploit that installs IE8 or Chrome.
"Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk. One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.
My work here is dung.
If he has only given five days before releasing it into the wile he is recklessly irresponsible. It just shows a person can be intelligent one way and a complete eejit in another. Could he be sued for this by someone who gets infected?
thou discernest my thoughts from afar
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
I don't know about that. MS could have really used this to their advantage - 'We praise Google in finding and releasing this exploit of our windows XP OS. This is just another example of why everyone should transition to Windows 7. Insert fancy marketing for windows 7'
I'd also argue that anyone still using windows really should upgrade to a more modern OS and Google was just trying to put XP out of its misery. Sometimes you have to do harm to not do evil, like cutting off a leg to save a life.
"God is a comedian playing to an audience too afraid to laugh. " -Voltaire
I thought there was a big fuss a few years back about how vendors didn't respond to researchers and how they took forever to fix problems with close sourced software. So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.
Seem like this is just standard timing since vendors have gotten in the habit of ignoring researchers and not spending the time and resources to fix problems that they should have tested for in the beginning and most of the time don't want to bother fixing. Historically companies have not wanted to spend manpower and money required to fix program bugs. They more want to fix them when they get around to having the free time a few months later to fix the bugs. After all bug fixes don't make them any money. If I remember correctly there was a quote from Microsoft saying that exact thing. "People don't want bug fixes, they want new features and bells and whistles instead." So if Microsoft really feels that way then this shouldn't bother them at all, since people don't care about having bugs fixed.
The quote was from German weekly magazine FOCUS (nr.43, October 23,1995, pages 206-212). Bill Gates was being interviewed when he made statements to that effect.
If you treat program bugs as a PR issue, then don't be surprised when people use PR against you for bugs you don't want to be bothered to fixed, in a timely manner historically.
Now I can protect myself against this exploit. 5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on. Monthly update cycles are too slow.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
What?? Given Microsoft's history of fixing their bugs, I would of released it as a 0-day instead of a 5-day! Google's just doing everybody a favor. Looks at all the other companies that are afraid of angering MS. Don't forget that Google's recent security breach is directly because of MS products.
:. Ultimate Control Dedicated/VM Servers
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
Yeah yeah. Apart from the the guy not actually doing this as a Google employee;
"Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself."
And the fact that Google, Apple and everyone else have got a long way to go before they approach the utter moral bankruptcy required for the likes of the Halloween documents, the derailment of OLPC, the ODF/OOXML fiasco and so on.
I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.
If, for example, you heard about this exploit today, and the same exploit was WTFPWNing computers today, then it is, by definition, a "Zero-day exploit."
It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.
Boot Windows, Linux, and ESX over the network for free.
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.
Missing from the summary is that not only are they documenting the exploit in detail, but they are also providing a hack to patch the hole.
The point of releasing this "Five day exploit" which has been vulnerable for 9 years now (XP was released in 2001) is to point out that Microsoft needs to do a better job responding to security threats and that the closed source model is less robust to these kinds of threats. Had this been open source, they could have simply issued a patch to a mailing list to close the hole.
No compiled software is safe from someone with the means and the motivation to modify it. Having the source code does not make it any easier or harder to exploit, but it does make it easier to patch exploits and allows for more people to examine the code for exploits.
>Whatever it takes to damage Microsoft is okay with me.
This doesnt punish MS, it punishes end users and admins. Sadly, this fact doesnt matter to those who are just full of MS hate.
Sorry, but it seems that you are a little bit confused about the real cause. First of all, the blame lies on MS for creating the bug. Secondly, a responsible vendor should fix a security hole as quickly as possible, because security bugs are rarely discovered by a single person only. It is highly probable that the same bug is already being expoited by the black hat hackers in the wild. Five days is more than enough for the vast majority of security problems and delaying the fix is completely irresponsible. IMHO, MS should stop complaining and fix their processes instead.
In addition to that, it seems that MS has never replied to the researcher. Responsible vendors do that and they even cooperate with the researchers on the possible fixes. Most researchers treat such vendors very respectfully, but they hardly have any understanding for vendors who expect that they can delay security fixes for months and ignore the input from the security community.
I completely agree, it took the world about 1/2 a decade to catch up after the Amiga died.
Getting my first (very expensive ) Windows PC was the most depressing day of my life.
Now that most technology companies are working on Linux products I sense the computing dark age is coming to an end.
Its not just google, Dell seems to have woken up from the Matrix... (we just need all the rest of them to stop being farmed)
Dell: "Ubuntu is safer than Microsoft® Windows®"
It only punishes end users and admins in the short term. When these people are fed up with Microsoft, they will turn elsewhere, and then Microsoft will be hurt.
Um sure....
Bug exposes eight years of Linux kernel
It's a bit of a crappy and unreliable exploit to say the least.
For some reason, my up-to-date Opera on XP SP2 just executes VideoLAN to load a (non-existent) JPG instead of the supposed WMP execution -> vulnerability trick that IE is vulnerable to. VLC then just errors out because the hcp:// protocol is obviously nonsense to it. I assume my copy of VLC is somehow associated with opening unknown protocols in Opera.
And in the IE case, WMP executes and then ZoneAlarm (ancient version) pops up and asks if I want Windows Media Player to access the local network. Twice. If I Deny, nothing happens. If I allow (both times), Windows Help and Support Center opens and then another ZA popup asks me to give permission for that too (and that says "Internet" rather than local, which would be blocked by default). If I allow that too, I get a copy of Windows Help and Support Center with a search for the nonsense page and not much else. "Computer Information for \\eval(unescape('Run("calc.exe")'))" is what's literally written inside it, and calc doesn't execute.
My IE, WMP, ZA and Windows Updates on this machine are NOT up to date by any means. The only thing that's up-to-date is Opera. Nothing untoward would have happened under normal usage. So it seems of dubious use at best, it's not a particular killer of a vulnerability.
However, the technical analysis was quite interesting and the problem basically stems from shitty programming at every level - not checking return values that indicate failure, continuing on and then passing arbitrary (and unescaped) strings to other functions, a cross-site scripting error within the Windows Help internals (due to insufficient escaping of data), allowing script execution to happen again on dynamically-generated script code because someone tagged "defer" (a Microsoft-only invention) to a script tag, and finally a way to avoid a security-related prompt on versions of IE, Firefox and Chrome by hiding the very same code inside an iFrame / Object which executes WMP. It's like a catalogue of errors, some of which have been previously reported and well-known for ages. It's just crap all the way down to actual execution of anything you like using wscript. And that's present in XP - a 9-year-old operating system with millions of deployments, Server 2003 and probably a lot of others using non-ancient version of IE, WMP, etc.
Stop whinging Microsoft, and fix this crap. That's been in the OS that millions of people used for **years**, after all your patching and service packs, and you never even spotted it, even when you were the only people with the code to the damn thing. I'm not saying it's easy or you should find everything, but FFS - the problems there just show crappy programming and patchwork all the way to the OS core. That "defer" thing just REEKS of someone saying "But I need a way to bodge this...". Whether it's responsible disclosure or not - fix it first, whinge about their methods later. Where's my response saying when you'll fix it? Where's the estimated patch release date? Where's the hotfix? When you've put those out, you can whinge about them being irresponsible with security. And then they can say "But we're one of your main competitors!" and laugh at you, the same way you would if one of your researchers found a major bug in Google's websites / OS / browser.
Except he doesn't give 5 days. This guy minimizes the amount of time Microsoft has to respond to the issue while trying to stay in the 5 day window.
This just shows how dirty the IT fighting has become ( not that it was ever civil ). And as many have pointed out, even if you don't like Microsoft this affects the XP and 2003 Server users the most.
You are aware that said code was submitted to Microsoft by someone who works for what is currently Microsoft's biggest competitor, whom they are currently in a 3-front war with (Browser, Search Engine, Netbook OS)?
This is a moot point, though: Google could later claim copyright over said code and sue Microsoft over it. Something that doesn't apply to your fire analogy.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
You might want to pick a subject you know a little about before pontificating. Tavis Ormandy has reported dozens of critical security vulnerabilities to Microsoft and others. Just search for "Tavis Ormandy Windows kernel vulnerability" to get some of his top finds. And in these previous cases you can compare the report and disclosure dates to see that he's waited several months, or in some cases more than a year for the patch release. If you actually read Tavis' disclosure and note the trivial nature of this bug, you'll see that he just got sick of waiting on Microsoft's extremely long fix pipeline, and chose this as an opportunity to push back.
Now, I'm not saying I agree with Tavis' actions here, but the actual situation bears no resemblance to your uninformed framing.
Sorry, but did you read the article? He got an immediate response.
This guy is clearly trying to meet the 5 day minimum only. Who reports a bug on a Saturday, then goes public first thing the morning of the 5th day?
Does Google Have a Double Standard on Full Disclosure?
Do this AFTER you release Chrom[ium] OS. Then users have something to defect to...
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I don't think his managers approved his conduct. He doesn't believe in responsible disclosure, but it seems like Google as a company do. So I wouldn't be surprised if apology or termination would follow soon.
"Would've" might sound like "would of", but as the ve indicate, it is a contraction for WOULD HAVE.
More importantly, it makes sense for someone TO HAVE DONE something.
It does not make sense for someone TO OF DONE something.