Google Researcher Issues How-To On Attacking XP

theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."

I Don't Think Zero-Day Means What You Think

[eldavojohn]

exploits a zero-day vulnerability

Zero-Day would mean that Microsoft had zero days to fix it or no time at all to patch the system that had the security vulnerability between the time they release the software to the time the bug goes public. By that definition this would be best described as a "five day exploit" or more in fact if they knew about it before Ormandy's notice.

Re:I Don't Think Zero-Day Means What You Think

we all know the bug have been around for years, a lot of people use it as their primary operating system

Negative.

He waited five days without even receiving a response from MS. I'd have done the same thing he did.

Just turn it off

[GaryOlson]

...leverage a flaw in Windows' Help and Support Center...

This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.

Industry Standard

[protektor]

I thought there was a big fuss a few years back about how vendors didn't respond to researchers and how they took forever to fix problems with close sourced software. So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.

Seem like this is just standard timing since vendors have gotten in the habit of ignoring researchers and not spending the time and resources to fix problems that they should have tested for in the beginning and most of the time don't want to bother fixing. Historically companies have not wanted to spend manpower and money required to fix program bugs. They more want to fix them when they get around to having the free time a few months later to fix the bugs. After all bug fixes don't make them any money. If I remember correctly there was a quote from Microsoft saying that exact thing. "People don't want bug fixes, they want new features and bells and whistles instead." So if Microsoft really feels that way then this shouldn't bother them at all, since people don't care about having bugs fixed.

The quote was from German weekly magazine FOCUS (nr.43, October 23,1995, pages 206-212). Bill Gates was being interviewed when he made statements to that effect.

If you treat program bugs as a PR issue, then don't be surprised when people use PR against you for bugs you don't want to be bothered to fixed, in a timely manner historically.

Re:Irresponsible

[axl917]

Could he be sued for this by someone who gets infected?

Don't be stupid. It isn't the messenger's fault.

Re:Do no evil

[iserlohn]

What?? Given Microsoft's history of fixing their bugs, I would of released it as a 0-day instead of a 5-day! Google's just doing everybody a favor. Looks at all the other companies that are afraid of angering MS. Don't forget that Google's recent security breach is directly because of MS products.

Re:Thanks Google

5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on.

You live in a dream world. Yes, 5 days is fine if you have a non-os product that isn't part of an ecosystem with millions of applications running on it. For example to patch something like a text editor - 5 days is probably enough. But a responsible company with millions of installs (Microsoft, Apple) isn't going to rush something out that would break more than it fixes. That would be stupid.

They did no evil

[keirre23hu]

Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.

Re:Do no evil

[gad_zuki!]

>Whatever it takes to damage Microsoft is okay with me.

This doesnt punish MS, it punishes end users and admins. Sadly, this fact doesnt matter to those who are just full of MS hate.

Re:Zero days notice

[drinkypoo]

I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.

No, it's the time between public disclosure of the vulnerability and the time when the exploit is released. When you hear about it or when you see it is quite irrelevant.

It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.

Yes, as demonstrated by your comment. Zero-day cracks are cracks which come out on the release date, and Zero-day exploits are exploits which exist in the wild (whether you have detected them or not) the same day as the disclosure.