Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

Dear Microsoft

[QuantumG]

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

Re:Dear Microsoft

[Entrope]

Microsoft's negligent, lazy approach to closing security holes bit Google hard. Google is now letting Microsoft feel some of the pain. I hope that responsible journalists won't judge full disclosure solely by vendor-dictated rules -- when a software vendor has a history of problems, the spotlight should be on them, not on the people who report them.

Re:Dear Microsoft

[hedwards]

That's the thing MS cries and whines whenever they're outed for being insecure, but when they aren't it seems to take an interminable period of time for them to actually patch the bug. Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents. They still expect to be able to hold onto fixes until patch Tuesday and hope that nobody notices till then.

Re:Dear Microsoft

[hedwards]

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

Re:Dear Microsoft

[LurkerXXX]

I hope you realize Patch Tuesday wasn't Microsoft's idea. Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.

Re:Dear Microsoft

[hedwards]

Whether it's their idea or not, it's a horrible idea. Patches should be released as soon as they're finish, as in finished and received reasonable review. Holding back patches for known flaws is ultimately irresponsible behavior. If a corporation doesn't want to do so constantly, then so be it, give them a tool to do it in that fashion. But as is it's terribly irresponsible.

Given the prevalence of bots in corporate networks, perhaps they shouldn't be given that kind of pull over the security of everybody else.

Re:Dear Microsoft

[Michael+Kristopeit]

... so he posted the flaw online.

i'm pleased with him that he did.

Re:Dear Microsoft

[pyrbrand]

You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'

As far as pushing this to users automatically, people get angry when you break shit without asking them.

Re:Dear Microsoft

[powerspike]

Whether it's their idea or not, it's a horrible idea

But at the end of the day, if the customers ask for it, you give it to them. I have worked in corp land, and honestly i can fully understand it, having to do full testing cycles to ensure it won't impact on current workflows, take workstations offline or softwares used by the staff. Depending on the amount of software / image types you have, this can take 1-2 weeks, having to start a testing cycle everyday increases the man hours needed to insane amounts. In the end, when a cycle like that patches that aren't considered highly critical are ignored, and that just makes the problems even worse in the long run.

Re:Dear Microsoft

[dragonsomnolent]

Actually, MS has a nice thing called Microsoft Supplimental Update Services (basically allowed admins to set up a server to act as a local repository for all things MS Patch related). Having set up a few in my time, it was really handy for testing on small groups (I actually had set it up to do initial pushes to techs and sys admins first, then IT department, and wouldn't authorize patches for everyone else until I was satisfied that the patches wouldn't bork everything). It was also nice since you could download all the patches to a local server and not eat up your bandwidth when everyone came into work and powered thier computers on (we had updates set to run overnight, but since nobody ever bothered doing that, our bandwidth would get all eaten up by machines powering up and fetching updates). Anyway, I digress, simple fact is that the program exists, and is free even.

Re:Dear Microsoft

[totally+bogus+dude]

Well they do have a tool to allow corporations to decide when to push patches - WSUS. And any organisation large or savvy enough to be testing patches before deploying them to workstations is going to be using it.

I think the reason for the Patch Tuesday release is to avoid disclosing the vulnerability to all and sundry. Otherwise, if the company doesn't want /to cannot test and deploy patches whenever they get released, there's going to be a period of time during which they have a vulnerability which is not only known, but attackers have the fix for it and can determine exactly what was changed to close it, thus making it very easy to generate an exploit for it.

Microsoft do occasionally release out-of-cycle patches for severe issues that are being actively exploited, so it's not as if they stick rigidly to the cycle even when it's clearly doing more harm than good.

Re:Dear Microsoft

[QuantumG]

huh? it's a security flaw that is being exploited in the wild.. pushing out hotfixes for stuff like that is what Windows Update is for.

Re:Dear Microsoft

[LurkerXXX]

I think you are missing the reasoning. They already have a tool for it. WSUS server. It works great and they can roll out whatever patches they want, when ever they want easily.

A big corp may have thousands of in-house apps, or specialty apps. They need to test those against any new patches MS rolls out so the new patch doesn't break critical things and cause them mega dollars in downtime. If MS releases a patch Monday they start up their testing scheme, which may take a few weeks to run if they have thousands of apps. If MS releases another patch on Thursday (my Ubuntu boxes have patches constantly released, so it's not unreasonable), they have to start the whole cycle again, or have a second line of testing machines with another testing team running them. If MS releases patches every few days for their OS and apps , they'd need to have a dozen or more teams of testers and equipment which is a ton of money.

And they can't exactly just hold off on testing the patches until the first cycle is done. As soon as MS releases the patch, the bad guys immediately begin reverse engineering it to find out what it was they fixed. Then they make an exploit to take advantage of it and start hitting the net with it. Holding testing after the patches are released exposes them hugely to those security holes.

Re:Dear Microsoft

[ArbitraryDescriptor]

Whether it's their idea or not, it's a horrible idea

But at the end of the day, if the customers ask for it, you give it to them.

But like he said, just give them a tool that ques up the patches. Allow them to set an update policy that holds off until X day, or bi-weekly, etc. Meanwhile, push patches to the home users as they come. They don't have an IT department to inform and protect them, holding back grandma's critical updates likely does more harm than good.

Re:Dear Microsoft

[tsm_sf]

What's the difference between waiting a week in-house and waiting a week for Microsoft?

Re:Dear Microsoft

Generally, the release of a patch causes the creation of an exploit. Non-publicly-disclosed security holes become disclosed to the people who matter the minute the patch is released. They can disassemble and analyze the patch apart and write an exploit in a few days. So if a company queues up Microsoft's patches and installs them once a month, they're continuously vulnerable to up to month worth of public security holes.

Re:Dear Microsoft

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

you mean like here:

http://support.microsoft.com/kb/2219475

Re:Dear Microsoft

[westlake]

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Easy to say.

But Win XP has a global market share of 63%. Something like 500 million users - at all skill levels.

What happens to them when you disable part of the help system?

Re:Dear Microsoft

[c0lo]

Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.

Yes, it's the customers' fault that even the MS patches can be buggy, isn't it? Also, customers are also to blame because applying a security patch requires a reboot.

Re:Dear Microsoft

We sit back and enjoy the hilarity that ensues.

Re:Dear Microsoft

[oiron]

Considering the number of times we have to say RTFM to people, not much apparently...

Re:Dear Microsoft

[cbiltcliffe]

But that's their choice.
If everybody else wants to be secure, they can be, and to hell with the whiney "we can't do this more than once a month, because we're incompetent" corporations. Those corporations can queue updates themselves, if they want. Everything released in the last month gets tested.

Everybody else should have the option of installing the updates as soon as they're finished.

But, as usual, the security-idiot blowhards get to dictate policy for the rest of the world.

Re:Dear Microsoft

[micheas]

Or they could automate their testing a little bit more and get a 48 hour turnaround or so.

They could also re-evaluate the ROI of using Microsoft based products, and budget the proper amount for QA.

Re:Dear Microsoft

[QuantumG]

Huh? You don't need to be able to type hcp:// into your browser to get at help files.

Re:Dear Microsoft

[williamhb]

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

If so, that is pretty damning of Ormandy -- that he thought 60 days was an appropriate timeframe for a fix, and even thinking it was reasonable for a fix to take that long decided to publicise it after only 5 days. Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.

Re:Dear Microsoft

[b4dc0d3r]

I can tell you've been in corp land.

1) You used "at the end of the day." People who say that should be shot, and you took the time to type it. I copy/pasted.
2) You want things that aren't predictable to be predictable. Just put whatever's new in the current testing cycle and go.
3) I'm pretty sure "insane amounts" is not a very good estimate, I'd be interested in some real numbers. Especially if you consider the "put whatever's new in the current testing cycle and go" part.
4) "Makes problems worse in the long run" is also most likely hyperbole. If your policy is to test what you can, when you can, then I don't see how Microsoft's schedule impacts you at all. You're already backlogged. Does it matter whether you're testing 3 patches or 20? I mean, you're not going to fall behind Microsoft's release schedule, so you're not going to be falling behind, so what does it matter whether the patch is released on Thursday or Tuesday - you can sit on the Thursday patches until next Tuesday if you want, only now the delay is on your side instead of Microsoft.

So overall, you would rather Microsoft to hold things up on their end. When a virus outbreak happens you can say "the vendor hasn't released the patch" or "we didn't complete testing of the patch". That absolves you of responsibility. If Microsoft releases as fixes are finished, you have to fit an unscheduled release pattern into a rigidly defined cycle, and are at risk. Instead of worrying about your clients and users, you are worried about liability.

I say give me the patches as soon as you have them, I'll test and release them internally when I can. Most of the time that's going to be faster, occasionally something might be delayed for whatever reason.

And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?

Re:Dear Microsoft

[Xacid]

"Holding back patches for known flaws is ultimately irresponsible behavior."

Wait...did you just say that?

Re:Dear Microsoft

[DavidRawling]

And may I ask, how many people does your multi-billion dollar corporation have sitting around to run full regression tests on the 400 applications you run in house? And how long do regression tests take (simply put, sometimes it's more than a day).

So 300 people in the fictitious org are continually testing and retesting the same apps, day in and day out (because even an automated test tool takes time to set up, monitor and interpret, assuming it's even AVAILABLE for Application X). And some of them don't even finish a test cycle before there is a new patch and everyone starts over again.

In the worst case scenario, the organisation can never patch up to date.

On the flip side, what if a bad patch is released (e.g. one that causes a normal system to blue-screen)? MS has 100 million home users who auto install patches; so now 10M or more are broken. Alternatively, as currently, the early adopters test before patch Tuesday and by the day of release, there's at least SOME confidence in the patches.

Actually I've got an idea. What Linux or BSD distro are you running? Do you update sources to the bleeding edge every night and rebuild the system from sources? Do you just assume everything will work? If you do, you already know stuff breaks. If you don't, STFU and stop blaming the cautious among us.

Re:Dear Microsoft

[james.mcarthur]

Do you update sources to the bleeding edge every night and rebuild the system from sources?

Of course I do, I run Gentoo unstable.

Re:Dear Microsoft

[recoiledsnake]

The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately. Hence it's better to release the patch es as a bundle on a single day.

Re:Dear Microsoft

What happens to them when you disable part of the help system?

People don't get infected. What's your point?

Re:Dear Microsoft

[logjon]

There's already a microsoft 'fixit' that does exactly that.

Re:Dear Microsoft

[avxo]

LOL... Everything is Microsoft's fault. Sure enough this must be Slashdot. Perhaps Microsoft doesn't issue patches as fast you'd like -- or as fast they could -- but that doesn't detract from the fact that Tavis' behavior in this situation was completely irresponsible.

Re:Dear Microsoft

[guruevi]

Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.

Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.

Re:Dear Microsoft

[tlhIngan]

Yes, it's the customers' fault that even the MS patches can be buggy, isn't it?

Yes, sometimes it is. Remember that patch a few months ago that bluescreened a bunch of PCs?

Turned out, those PCs were infected with a rootkit. The rootkit had a bug that relied on symbols not moving around in DLLs, and one of those DLLs was updated by the patch.

Microsoft was forced to recall the patch and release an update that supported the rootkit.

Re:Dear Microsoft

[BitZtream]

Oh, that makes it okay then!

This kind of behavior is childish at best, but in my opinion borders on criminal.

This bullshit 'oh their security sucks and they are slow' crap is just a battle cry of the ignorant.

Patches need to be thought out, tested and deployed safely.

I realize you probably don't understand what its like to manage a network of computers that actually has to work reliably rather than be running the latest bleeding edge, just released 20 minutes ago software.

If they 'fix the bug' and break mission critical apps for enough people its effectively worse than being exploited in many cases.

As the GP post stated, this is more like Google lashing out at MS, which again, is childish and indicates a company that I don't really want to do business with.

There really is no good reason for public disclosure before an exploit is fixed, saying your doing it to force their hand is just a different way of saying 'I want to attention for making them look bad'. It really doesn't impress anyone outside of slashdot and the like.

Re:Dear Microsoft

[jvillain]

Doesn't that really depend on how likely he thought it was that some one else would or had found the flaw. If I have a boat load of servers that are vulnerable and I think there is a good chance some one else has come across the exploit then where is the incentive for me to leave my servers vulnerable for another 60 days once the vendor has already given me the finger? I want the fix as soon as possible.

Re:Dear Microsoft

You're still missing the point. If Microsoft queues up the patches, everyone's still secure. Microsoft does occasionally release out-of-cycle patches to address serious, publicly-known vulnerabilities. But most exploits are written from their patches.

Re:Dear Microsoft

[BitZtream]

holding back grandma's critical updates likely does more harm than good

Until it makes her PC unbootable.

I'm guessing you've never actually managed a network or serious of machines that needs to be reliable.

Sure, a unbootable/crashing machine may be secure, but its worthless.

Re:Dear Microsoft

[AK+Marc]

Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.

He says "I found a critical flaw, when will you fix it?" "Fuck you." "No really, how about 60 days? All you have to do is disable the feature in one of the two patch cycles if you can't actually fix it in that time." "Fuck you." "Hmm, well, will you work with me at all on this?" "Fuck you." Released to the wild.

How would you handle it? What do you do when you've found problems before and they don't get fixes for a long time, then you find another and you try to get some commitment of when it will be fixed? He knows that if he found it, someone else may already be exploiting it. If Microsoft won't protect their customers by releasing the patch, he'll force them to work faster and it will get the word out to people that they can disable the feature and be more secure.

Re:Dear Microsoft

[Cwix]

Sometimes the best way to secure a windows box is to make it unbootable...

Disclaimer to fanbois.. this was just a joke.

Re:Dear Microsoft

Sure, that what said already:
it is the customers' fault they are using an OS which is so secure a trojan (nay.. a buggy trojan) could be installed in the first place.

the comment is meant to be ironic. But won't take my chances with the /. moderation system, thus ... cowardly posting for the moment

Re:Dear Microsoft

[micheas]

Actually I've got an idea. What Linux or BSD distro are you running? Do you update sources to the bleeding edge every night and rebuild the system from sources? Do you just assume everything will work? If you do, you already know stuff breaks. If you don't, STFU and stop blaming the cautious among us.

IIRC E*Trade updates gentoo about three times a week, and QA's the entire system. (the website is an internal gentoo package)

Why would you have to set up a build system for a new patch? Shouldn't you be able to use the existing QA system and just add the patch to the beginning of the process and re run the existing build/QA/deploy process?

The problem is that many of the "cautious" types never set up a proper QA system and cannot rebuild their systems from scratch in an automated way, much less auto build, QA, and deploy.

Sorry for the rant, I've just seen too many messes and been around too many organizations that were unwilling to pay a penny for reproducibility.

Re:Dear Microsoft

[shutdown+-p+now]

As the GP post stated, this is more like Google lashing out at MS, which again, is childish and indicates a company that I don't really want to do business with.

However you feel about the action, it was done by a specific Google employer, not by Google as a company. So far as I know, Google itself has not taken any official stance in it, and did not back the disclosure. So let's not get into conspiracy theories here.

Re:Dear Microsoft

[Your.Master]

That's not at all what happened. What happened was:

Tavis: "I found a critical flaw, will you fix it in 60 days?"
Microsoft: "Hmm, we'll take a look and get back to you with a timetable on Friday"
Tavis: "Not good enough". Released to the wild.

Cite: TFA.

Re:Dear Microsoft

You sound like an idiot.

The only way to make an OS where a Trojan cannot be installed (buggy or not), is to make an OS where software cannot be installed. The next best thing is to review & sign all software that goes on the OS (eg. iPhone, Xbox). An open platform cannot be secured against Trojans; it's antithetical to the concept.

Re:Dear Microsoft

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

MS apparently wasn't keen on giving Ormandy a legal commitment within 5 days.
I would expect that the people at MS who fix the bugs are not allowed to make any legal commitment.
Only MS lawyers are allowed to make any legal commitment.

I would also expect that Ormandy himself is not allowed to sign any legal contract on behalf
of Google. Probably he also won't be able to get Google's lawyers to sign any legal
contract within a day or two.

Thus I wonder what he is thinking.

Re:Dear Microsoft

[victorhooi]

heya,

Silly little man.

Look, full-disclosure has already been proven to be the method that works. Security through obscurity does not. Because what you're essentially saying here is "shhh....there's a flaw, but let's hope we're the only guys in the world that know about it"....oh please...how naive you are.

Google has already been burnt just recently by Microsoft's shonky security. So in this case, they were probably thinking, gee, whiz, we're about to get hit again...

Because chances are, if Ormandy found it, somebody else probably did as well. I mean, there's people *actively* look for these bugs, and hoping to malicious exploit them. At least this way, people know about it, and can protect themselves - either by shutting down the affected service under Microsoft gets out a patch, or at least staying sharp (e.g. checking logs) for anything that exploits it.

Doesn't the fact this exploit was found actually prove the point, that full-disclosure works? I gurantee you, the clowns at Sophos probably wouldn't have found this, without the heads-up from Ormandy on the issue.

Cheers,
Victor

Re:Dear Microsoft

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

That suggested approach does not work.
I remember a particular hotfix (on non-MS software) that worked exactly like that, disable the functionality that had the security issue.
The only problem: it turned out that the first login to that software after a system reboot depend on exactly that functionality.

No, you cannot simply release a hotfix that disables something. You must run a full test cycle before you release a fix. Especially for any security fix - those are more likely than other fixes to break something essential.

Re:Dear Microsoft

As far as pushing this to users automatically, people get angry when you break shit without asking them.

Exactly. People get angry when Microsoft sells them products with zero-day exploits. What you said.
Mod Graham Cluley up. Mod parent down. Mod Microsoft to zero.

Re:Dear Microsoft

[bheer]

> Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

There's one already, but it won't be delivered via Windows Update, users must opt in: On this page look for the Fixit Link ( http://go.microsoft.com/?linkid=9735564 ) The problem is that switching off a feature without fully testing repercussions -- which is what would happen if this was pushed out via Windows Update -- is not good and can cause other things to break.

Re:Dear Microsoft

[Eskarel]

Because some people(admitedly not very many) actually use HCP.

Re:Dear Microsoft

But this is mickeysoft. Journalism has been giving them a by for decades. Its *NEVER* their fault.
  EXAMPLES: Its the virus writers fault that viruses attack the software. If Linux were as popular, it would have viruses too. If people wouldn't publish these zero day exploits, then all the problems would go away. Can't we all just learn to get along? Its the internets fault. If you didn't plug into the internets, there would be no viruses. People are just picking on microsoft. People should pick on Linux and those others too. Linux and Mac get more viruses than microsoft, they only talk about viruses in the press because microsoft is so popular.
/EXAMPLES
  And with that, all the fanboidom can achieve a zombie state. In the mean time, (as a Linux user who hasn't seen a virus in 15 years, has no anti-virus software on my computer, and has been plugged into the net all that time (and no sparky, I'm not infected, my computer screams speed and doesn't do anything funky) I can only watch in disbelief as people attempt self-hypnosis and delusion.

Re:Dear Microsoft

[QuantumG]

I don't think you guys get what the bug is.... in Internet Explorer you can enter a special url that can open help files and run scripts which can contain commands to execute arbitrary code. The solution is trivial: disable the crud in IE that does that. If that's too hard, disable the service which passes the request from IE to the help file launcher. If that's too hard, disable the arbitrary code execution from help files (fucking duh!).

Re:Dear Microsoft

Whether it's their idea or not, it's a horrible idea. Patches should be released as soon as they're finish, as in finished and received reasonable review. Holding back patches for known flaws is ultimately irresponsible behavior. If a corporation doesn't want to do so constantly, then so be it, give them a tool to do it in that fashion. But as is it's terribly irresponsible.

Once you release a patch or a hotifx, the bad guys will analyze your changes, and identify the security flaw from there.
The bad guys then will try to exploit.

That implies several things
1.) Once you release a security fix, you must release the security fix for all affected platforms within 24 hours
2.) Once the security fix is released, anybody potentially affected by the issue must install the fix very soon.

No, it is not feasible for corporate clients to install the fixes on a monthly basis if MS releases them in a non-scheduled way.
That would leave the corporate clients vulnerable to a public exploit for several weeks.

There is another angle not mentioned in the discussion thus far: MS have to inform US government agencies about any such changes
o so that US government agencies can harden their own systems before the exploit becomes public knowledge
o so that they can prepare to use different exploits

Re:Dear Microsoft

> Hence it's better to release the patch es as a bundle on a single day.

Better for whom? Better for corporations who don't want to spend a lot on supporting Microsoft's insecure software. But certainly not better for average users who want a patch when it comes out.

For whatever it's worth, I disabled the damned control immediately after this became public.

Re:Dear Microsoft

[Eskarel]

The help system in Windows XP is for all intents and purposes IE, remember that XP is old enough that it was made during the period where Microsoft were obsessed with making everything part of the core OS.

Re:Dear Microsoft

[xenobyte]

I agree 100%!

Back in 'Computer Science 101' we spent a lot of time doing 'internal testing' and 'external testing' of our programs. When done correctly you are 100% guaranteed that the program does exactly what it is supposed to do, nothing more, nothing less. Every bounds is checked, every possible input is tested, every loop, every condition. No overflow, no malformed input, no nothing can make the program do anything not handled in the code. You can actually learn to code in order to make these perfect programs.

But this requires basic CS knowledge as well as a lot of time... I guess Microsoft either don't have the knowledge or just don't care enough to allocate the time. The tools are there. The choice is theirs. Now, when they don't care, it's only fair that we don't care either. They write buggy software by choice and thus they have to fix the problems when they are discovered. A thorough testing using the source code would have revealed all problems, but they chose to let the customers do trial and error testing through daily use instead. Highly inefficient and an open invitation to all malware creators to do their evil deeds in an eternal arms race, leaving the regular users as the big time losers, risking all sorts of bad things whenever they use Microsofts product.

The only way to pressure Microsoft to do better is to give them very little time to fix errors once they're found. The morale being that they should have written the solid code from the beginning. They chose to postpone the fixing to a later date when problems were revealed so they better do that. Five days to fix a fairly simple problem like that is more than reasonable, now that they gave us the defective code to begin with.

I just don't see the problem in quick fixes. If the fix breaks a few rare systems here and there, just have these people remove it again, awaiting an updated fix. Microsoft will probably know what's wrong by the time the problems are reported anyway and then they just fix the fix. In the meantime everybody else have been secured for several days. That's the better way.

Re:Dear Microsoft

then the 5 people who actually use it have to do a little more effort to get to it now

Re:Dear Microsoft

[Posting=!Working]

[blockquote]But at the end of the day, if the customers ask for it, you give it to them. [/blockquote]

Like WGA, right?

I'm sorry, but this is Microsoft we're talking about. They have no problem shoving unpopular crap that no one wants into the OS. People have asked them for actual security for over a decade, and their response has mainly been that you should buy antivirus software from another vendor. Explorer is a joke, it's complete crap as a file handler and worse as an internet browser, customers have asked for it to be removed from day 1, but they don't give it to them. 12 years of a preloaded security nightmare is in no way, shape or form, giving customers what they ask for.

Re:Dear Microsoft

[dissy]

The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately.

Naa, those guys are just script kiddies. They are annoying, but anyone on their toes will not actually be bothered by them.

The REAL bad guys have been using holes such as this SINCE DAY ONE as one of many tools to gain access to any XP or newer system.
The real bad guys do not share such information with each other, let alone anyone else. There is little to no opportunity for any of us to defend against these people.

Today they have one less tool for unfettered access on the worlds systems, and you think this is a bad thing because some script kiddies will now be using an attack you can defend against?

To the rest of us, this means keeping everyone out.
If your biggest concern is the script kiddies however, then I fear for your networks security :(

Re:Dear Microsoft

[rtfa-troll]

Cite: TFA.

Except you're lying. TFA, which I've actually read, has only this to say :

"I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"

Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"

Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.

So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.

Re:Dear Microsoft

I run a tiny windows shop (With a peppering of linux usage here and there)

No funding for testing of any sort for such things. Zero. (Yes, this makes my life hell often)

Windows updates however would Never be the problem.
WSUS server (Free from MS) lets you point all the machines in your domain to the WSUS server for updates, and that server checks microsofts daily.

Not a single hotfix or update gets through until I approve it.

Some servers, like the NAS that are firewalled and only have the various file sharing services exposed, do not often get updates. These machines can not reboot easily, as in there are many tens of others that depend on them and must be shutdown first.
As bad practice as it is, I very rarely apply security updates to these machines. The bug would need to involve one of the exposed services to grab my attention, anything else waits till the once a year maintenance window. Seriously, once a year.

I control all of this myself with groups in WSUS server. Those storage servers never SEE updates until I say so. No annoying 'you have updates waiting!' boxes, reboot nags, nothing. I'll say again: Once a year I do updates on those couple servers.

There is NO excuse for Microsoft not to release updates daily. Those of us that it would bother at all, will already not be affected. Daily or bi-monthly is the same to us when we have to manually approve updates anyway!

Microsoft providing Free update management tools, even if limited to only microsoft updates, is still a much much better option than microsoft delaying the world every two weeks.

Have some consideration, run WSUS and let microsoft release updates daily. Set your WSUS schedule to only check MS every two weeks. Stop hurting the rest of the world in the name of "companies won't stand for it" when 'it' has been solved with a much better solution.

Re:Dear Microsoft

[drsmithy]

Also, customers are also to blame because applying a security patch requires a reboot.

If a planned reboot disrupts services in a meaningful way, then your architecture is broken. This is true regardless of what OS you're running.

Re:Dear Microsoft

[Kalriath]

Servers aren't vulnerable to Help and Support exploits. Microsoft ships Windows Server with the required services disabled.

Re:Dear Microsoft

[rtfa-troll]

He did; he's even fundamentally right. Serious / important systems should not be reliant on one single security function. If there's a flaw in one vendor's authentication server that shouldn't be a problem. You just disable it and use the other vendor's one where you should have an up to date mirror of the data.

Unfortunately we have got to a level where such functions are running on monocultures of operating systems such as Windows and even Linux which just aren't suitable for the job. This means that the vulnerability could do serious damage.

However, we shouldn't forget who is to blame. It's not the security researcher. The people to blame are the ones who chose to rely on only Windows XP and don't have a backup. If their system isn't important they should just switch it off and wait for the fix. If their system is "important" then they must have it running on an operating system suitable for the job (e.g. VMS / Z/OS / maybe OpenBSD or AIX / maybe RHEL in specific configurations) and should have a backup alternative install on a different secure operating system

Right now, there has been too much change too recently and the effects of Microsoft's monopoly destruction of it's competitors in the 90's are too strongly felt for this to be a practical immediate goal for everybody. However we shouldn't lose track of where fault lies and who should be trying to deal with it. Ultimately this largely means Microsoft and their customers are to blame. If they get away with this irresponsibility without penalty or damage then there is no possibility for a market based solution to this and even a regulatory solution would be very difficult.

Re:Dear Microsoft

[LinuxAndLube]

When done correctly you are 100% guaranteed that the program does exactly what it is supposed to do, nothing more, nothing less. Every bounds is checked, every possible input is tested, every loop, every condition.

You're being sarcastic, no? Even if the input consists of nothing more that a couple of integers, you cannot test all possible combinations. Besides, even if you had unlimited resources, you cannot get around the halting problem.

Re:Dear Microsoft

[dhavleak]

I think you're oversimplifying.
.

On getting notified of the issue, MS would have to make an assessment -- how many systems have the feature, how often is this feature used, how complicated would it be to develop an exploit, is there currently an exploit in the wild, what is the result of the exploit (data loss, denial of service, admin access, etc.), are there any mitigating factors, how much time would it take to develop a fix, how much time would it take to test the fix, etc. Rolling back a second -- they first have to route the issue to the right people for making these evaluations. This would hold true for each and every single security issue that gets reported to them, or that they find themselves.
.

Now consider that Ormandy's issue is not the first, last, or only security issue ever reported to them, or the only one they are currently working on. In fact, out of all the current issues they are working on, there might have been others with easier exploits or exploits already out in the wild, or affecting a larger number of people, or with worse implications. This is a big deal for sure -- but it's actually reasonable to believe that this wasn't the single most important, drop-everything-now, priority zero, severity zero security issue on MS's plate right now.
.

That being the case, Ormandy should have gone through the 'system'. If, after 60 days if he didn't get a response he liked and then forced MS's hand, he would have had some semblance of a point. The way he acted, I can only conclude that he wanted his 15 minutes of fame, and he doesn't give two hoots about the people affected by his irresponsible behavior.

Re:Dear Microsoft

[Jah-Wren+Ryel]

Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.

I'm a cynic, but I think we can count on there being at least a few three letter agencies that are aware of all these reported but unfixed problems. Given the way espionage works, I doubt they are all US agencies, or even just western ones - after all, since MS is not a government agency that database ain't classified so giving a copy to some foreign government is probably at worst a firing offense.

Re:Dear Microsoft

[c0lo]

If a planned reboot disrupts services in a meaningful way, then your architecture is broken. This is true regardless of what OS you're running.

If the OS running the architecture does not require a reboot after applying security patches, then I don't need to schedule for downtime... no matter how the architecture might be.
Could it be that you haven't yet heard of the "just restart the service" approach or even hot-patching?

Re:Dear Microsoft

If you really want to draw a conclusion from the reverse engineering:

You need to minimize the time between patch release and full deployment: Push a feed to announce the patch. Instead of waiting at a tuesday to deploy it you can deploy it when it is finished. Overall reducing exposure.

Re:Dear Microsoft

[CyberDragon777]

Why is a patch that gets completed, tested and signed off on the (for example) 20th of a month and sits on some server till it is released next Patch Tuesday more secure/stable than one that gets released on the 20th?

And if you are a business, use WSUS!

Re:Dear Microsoft

[CarpetShark]

Microsoft knew they they could spin this against Google if they just ignored it 'til google's best-practice deadline was up. They knew that the uneducated public would then bite google hard on their behalf.

Fixed that for you.

Re:Dear Microsoft

[Xeleema]

What happens to them when you disable part of the help system?

They google "Windows Help"? (queue Ubuntu jokes in 5...4....3....2....)

Re:Dear Microsoft

[L4t3r4lu5]

Patch Tuesday has a reason, and that reason is: Because the guys who run corporate networks want it that way.

OOB patches for zero day exploits, for instance, mean that internal testing and compatibility assurance has to be done outside of the allotted time for such duties, which oddly enough is more than likely Wednesday morning. All of the patches required can be tested for compatibility with whatever custom or quirky features a particular corporate network may have, and rolled out at the same time, and it's out of the way. If there are patches which require downtime, then there is only one downtime per month, not several. That could be hundreds of thousands of dollars of business to some companies. Bear in mind that the patch is the last form of defense for most attacks to corporate networks; They have the upstream ISPs security services, their own in-house firewall and filtering / IDS, group policy restrictions, anti-malware software, and THEN the OS itself.

Cite? Ed Gibson, MS Ex-Chief of Cyber Secutiry at the Safer Internet Day conference Feb 2010.

Re:Dear Microsoft

[L4t3r4lu5]

And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?

Just like the car driver is BP's customer, and the OAP with a cash ISA is HSBC's customer? Don't kid yourself; Home users are suffered for the sake of keeping up appearances. They spend orders of magnitude less than corporate entities, and are therefore bottom-rung. Or does your ISP have dedicated 3rd-line support for your home broadband connection?

Re:Dear Microsoft

[Mr.+Freeman]

"This kind of behavior is childish at best, but in my opinion borders on criminal."

You think that exposing a problem with software is "borderline criminal"? When a vulnerability like this gets released it will generally result in the creation of some kind of malware. You seem to think that the solution is simply to make it illegal to know about it.

I realize that you probably don't understand what it's like to manage a network of computers that actually has to work reliably without relying on the vendor to do all your work for you, but it's your job to disable vulnerable services and properly secure your network. It's not the vendor's job to make sure that your machines work, and it sure as hell isn't the general public's job to remain silent about the security holes in your system.

It's almost as if you don't think that the vulnerability will be used if it's not disclosed. It's like you think that this is the only guy that could ever fucking find such a bug. Seriously, if it's not publicly disclosed then the only people with access to it are going to be the people that will use it to completely fuck you sideways. I'd prefer it gets released and a bunch of script kiddies try to make it into some easy to prevent malware so it gets patched rather than leave it only in the hands of those that know how to use it to its full potential.

Re:Dear Microsoft

You can check upper and lower bounds, a few points in the middle...

Re:Dear Microsoft

[DJRumpy]

So instead, he's going to punish the users of XP? At what point does it stop becoming a 'good deed' and start becoming retribution. Hell, even the summary hints as much, and it's very hard NOT to look at it as such, with the users paying the bulk of the price. People on here should know that patching a system as complex as an OS can't be done on a whim. I don't know how many times I've 'fixed' something, only to have it bite me in the ass in some seemingly unrelated function.

Re:Dear Microsoft

saying they will get back at the end of the week with a timetable is now considered unreasonable??? fuck me that is insane even for a truly anti MS bigot. No where in the article does it show any unreasonableness from MS, only from Tavis, sounds like he is little more an an iresponible fuck that was trying to make MS look bad (they hardly need help with that), but the only person that truly looks bad here is him. There is no situation where releasing the vulnerability with code within a week can be considered reasonable or responsible. It would not suprise me if google quietly exited this guy out the door as I truly doubt they would condone such a response.

Re:Dear Microsoft

[devent]

That's even a much horrible picture of MS's security. Even the patches are so bad that they are a security risk.

Re:Dear Microsoft

[bloodhawk]

full-disclosure does not mean irresponsible disclosure, disclosure before a company has adequate time to test a fix falls into the irresponsible category. Full disclosure is about getting the information to the vendor, giving them "adequate" time to fix the problem then releasing full details on the problem. The only time Full Disclosure should precede the vendor fix is if the vulnerability is already publically known or there is an exploit in the wild.

Re:Dear Microsoft

You are right in a sense but I think you know that 60 days is more than enough time to fix a flaw. Especially with a company like microsoft. Not to mentioan the fact that they could of known about this long ago but never did anything about it until it was brought to the public eye. It isn't meant to impress people. It is meant to force them to get off their ass and fix the problem. You obviously do not know much about microsofts history with these problems.

Re:Dear Microsoft

[PsychoSlashDot]

Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"

Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.

So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.

That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready. That's blackmail. Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.

"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."

If he had done that, there'd be no complaint.

Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?

When and if my customers' PCs get owned by this, I will blame the exploit discoverer. The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days. Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.

Re:Dear Microsoft

[vxxzy]

Unfortunately... To quote you "...this is more like Google lashing out at MS, which again, is childish and indicates a company that I don't really want to do business with..." As I understand it this really has nothing to do with Google. Was not this guy acting on his own behalf? Or am I misinformed?

Re:Dear Microsoft

Nothing.
XP help is fucking useless.

Use Google

Re:Dear Microsoft

[hesaigo999ca]

THANK YOU, about time someone saw the flaw behind M$ way of dealing with things...and this is EXACTLY why the guy did what he did. He showed that not only is M$ not responsible enough to say ah geez...thank you for spotting this, but now they can't prioritize themselves to push out a fix for the bug quick enough before others come up with attack vectors.

DON'T BLAME THE GUY FOR REPORTING THE PROBLEM, you would have been just as hacked by the guy knowing about this attack anyways, at least you are aware of it now...( I am talking to you ...whoever modded me down for my last 2 posts about this)...no real hacker will ever tell you his attack vectors, and there are still many not OUTED....
does that make you more secure because no one has been telling the world about them, hell no!

You sir are a gem, able to discern that the onus does not fall on the guy reporting the problem, but the person who supplied the buggy application and then does nothing quick enough to fix it, once a problem is found.

Wish there were more like you!

ps- If this was to actually interfere with a meeting, or cause some stock option problems, it would have been resolved that same day. Because it is for the end user especially still using windows xp, guess what....we will have to wait a LONG time before getting this, my guess is until you get sick enough of waiting and buy windows7.... ; )

Re:Dear Microsoft

[mcgrew]

We've been saying this shit for *decades*.

To paraphrase Lilly Tomlin's "Ernestine the telephone operator", "Our OS is installed on damned near every computer made. We don't HAVE to listen."

Re:Dear Microsoft

I'm sorry - but Google having a security breach on a Windows machine, through a vulnerability that had been patched previously, because Google was too lazy to update the system is hardly MS' fault.

Entrope - if I knew something about your house, a "security vulnerability" of sorts, would you be OK with me making it public - say, by posting it in the newspaper and online? I'm sure you, as an INDIVIDUAL, would go and try and fix the vulnerability right away.

Lemme know when you could fix something that is so complex, your squirrel-brain couldn't wrap around it. People seem to forget that with Windows, the compatibility of the software with so much hardware and other software, makes it a lot harder (comparatively) to fix certain things. sure, soon as someone reports a vulnerability, they could immediately patch it. Then what would you say to the people whose computers get broken because of it, because it wasn't regression tested? I'm sure you'd be lambasting MS then too.

All of the above doesn't take into consideration stupid people who click OK to any dialog box in front of them. Those people could even let their OSX/Linux boxes be "hacked"

Re:Dear Microsoft

[claar]

Back in 'Computer Science 101' we spent a lot of time doing 'internal testing' and 'external testing' of our programs. When done correctly you are 100% guaranteed that the program does exactly what it is supposed to do

Wow... just... wow. I take it you're now in upper-level management? Yes, for *very* small programs, that do *very* little, this is feasible. But when you get to real programs of real world size, this is simply not done (unless you work for NASA).

You came close to hitting the nail on the head with "just don't care enough to allocate the time" -- since I sincerely doubt their customers would care to pay $50,000+ per copy of Windows, and sacrifice the performance, features, and decade(s)-long delays that would be required to accomplish this.

Re:Dear Microsoft

[rtfa-troll]

That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready.

You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.

In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop being vulnerable whilst keeping the rest of their computer functional. Not distributing the information quickly would be irresponsible

That's blackmail.

And that's hyperbole. He is demanding nothing for his own profit.

Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.

"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."

If he had done that, there'd be no complaint.

60 days was a reasonable maximum IFF he knew that Microsoft was willing to work hard on the problem. They failed to convince him. Next time they should try harder.

Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?

We have a contract in place. MS should be fixing flaws like this in our systems no matter who reports them to them.

When and if my customers' PCs get owned by this, I will blame the exploit discoverer.

It's always nice to blame someone else for your own faults. In this case, you know how to disable the function whilst leaving everything else running. If the PCs get owned you are to blame.

The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days.

How do you know it was unknown? There are lots of unexplained break ins to systems. Maybe this has been used almost since the beginning? By withholding the data, he's even putting himself at risk of being silenced by either legal or physical means. It's funny the way you feel the right to demand that he does that to save you a few minutes work.

Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.

You'd maybe be better off. Others would have vulnerabilities they didn't know about not being fixed.

Re:Dear Microsoft

[stonertom]

How often does a website or IM link you to Windows Help ?

Re:Dear Microsoft

[Magic5Ball]

> That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.

How does the attribute of open source enable users of Firefox or Apache httpd to find out about problems that exist but are filed away in the not publicly accessible security sections of their respective bugzillas and listservs?

Re:Dear Microsoft

[Monchanger]

That's blackmail.

I do not think that word means what you think it means. He didn't threaten them to achieve gain, his endgame action was of showing his hand , so he's actually gotten rid of his leverage. How exactly do you figure that was an act of blackmail?

When and if my customers' PCs get owned by this, I will blame the exploit discoverer.

This is where your bias and lack of reasoning becomes obvious. The responsibility is always on the one who develops the exploit, or the ones who take advantage of the exploit. Now that you know what to do, if you feel responsible for your customers help them secure their systems, don't sit on your ass blaming other people for your inaction. Everyone here is very sorry you can't be lazy and just wait for Tuesday to "secure" your systems for you.

Researchers are not responsible for the action or lack of action of others and misuse of their research. As is often the case, this researcher's actions were intended for the benefit of the public by bringing to light a vulnerability. Microsoft may not like the fact that their product has been found to once again be insecure, but that's their fault. You Google-haters make it sound like he developed and sold a rootkit. That wasn't Google, that was Sony.

If he'd shut his mouth for a reasonable period of time we'd all be better off.

The problem exactly is the question of what is "reasonable." He thought 60 days was plenty, Microsoft was wishy-washy and noncommittal on even that lengthy timescale. You bring to mind that old saying: "The only thing necessary for evil to prevail is for good men to remain silent." I'm not sure letting Microsoft get away with negligence is appropriate, just as we're not allowing BP to do the same.

Re:Dear Microsoft

[quanticle]

Even given all that, it still doesn't justify Ormandy publishing the bug (and, more importantly, the proof of concept code) after only 5 days. If Microsoft was refusing to commit to a 60-day timetable, Ormandy should have published the bug, the code, and all his correspondence with Microsoft on d+61, not d+5.

Re:Dear Microsoft

[recoiledsnake]

Any patch(for any software) can be reverse engineered to get to the exploit. Your post shows your ignorance in your hurry to bash MS.

Re:Dear Microsoft

[mcgrew]

The exploit had remained unknown for nine years

How do we know some black hat didn't discover it eight years ago and kept it to himself and used it for his own gain?

Re:Dear Microsoft

[quanticle]

The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately.

But how does that protect anyone? I mean, you've still got all the patches out there for the malicious hackers to look over. How does it matter if you release twenty patches on Patch Tuesday, or one patch at a time over the course of a month or so?

Re:Dear Microsoft

[sustik]

The right thing to do would have been:
1. Try to negotiate a timeline. When that fails (say in 3-4 days):
2. Suggest MS to disable the hlp resource locator immediately. When that advice is ignored:
3. Ultimatum to MS: existence of flaw will be disclosed. Give MS opportunity (2 days) to issue the press release. When that fails to happen:
4. Warn public of the flaw (no exploit). This will put pressure on MS. (From others too.)
Give last warning to MS regarding timeline negotiations. If this still not forces MS to cooperate:
5. Disclose exploit 3 days later.

Re:Dear Microsoft

[fast+turtle]

LMAO - Thank you for such a Pithy Comment. Made the start of my day.

Re:Dear Microsoft

[rtfa-troll]

The circumstances are different for each bug and difficult to judge in general. However for this bug we have the simple fact that the functionality is easily and safely disabled without affecting much of the function of the computer.

Ormandy is clearly justified in releasing the bug immediately since this will allow people who care about computer security; mostly the ones who are most affected by such problems; to take countermeasures. Every day, or even minute, he waits increases risk for such people since it is perfectly possible for someone else to find (or have already found) such a vulnerability and start (or continue) exploiting it. By this judgement, even his initial five day delay is difficult to justify.

On the other hand, at his own judgement, if Ormandy believes that Microsoft is working as hard as reasonable on this problem, then he would have been justified in keeping the bug under wraps. The justification would be that, whilst this increases risk for the first group, it reduces risk for those who wait for Microsoft automatic updates. N.B. This is a somewhat questionable justification since MS could simply and quickly release an update turning off the help function.

The problem is that he didn't believe that MS was working as hard as it should, so the second justification doesn't come into play. Hopefully this is a learning experience for MS who will work harder and/or communicate more clearly in future. Maybe Ormandy is now convinced he made a misjudgement about MS and will be more slow next time. Maybe he's learned that reporting publically without a pseudonym is dangerous and will be more difficult to contact next time. Whichever way that is, second guessing Ormandy when he was in such a difficult situation is unfair.

Look at the justifications floating around that this was "just before patch tuesday so MS was busy". This is the moment when a patch might be delayed due to a small hitch and if that happens the maximum possible delay (one month) occurs. That means that just before patch tuesday, MS must be on Maximum possible alert. There was no justification for their not being able to respond quickly and at least say that they would try to get it in for the next but one patch tuesday.

Re:Dear Microsoft

"That's blackmail."

What would or did he gain implicitly by releasing or not releasing the information? Money, resources, drugs, sex, etc.? Oh, right, nothing. You clearly need to look up what blackmail is, otherwise any negotiation TO YOU is blackmail of some sort.

"Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained."

It did. It was the other contract terms you're ignoring that made he 60 day window irrelevant.

This is the problem with you, you've reduced the negotiations to a simple and single term, not the complete list of terms of what he was asking for.

In addition to a fix, he wanted to know they were actually WORKING on a fix (including identifying; how the hell couldn't they identify the fix in 5 days is beyond me) as well as a tentative release schedule. I'm an XP user, and I damn well understand the importance of all 3 aspects (fix the flaw, effort to fix the flaw, schedule of release). I can plan what to do based on these. I can secure my systems, even if that means taking it down.

If MS doesn't release such basic info, they aren't taking any of it seriously. MS are the losers here; they have more PR handling this than actual security people handling the security hole.

You, on the other hand, have taken a single aspect, and crushed into into your small mind as the ONLY critical issue. It's not.

For example, take the whole effort thing. If MS is going to spend that 60 days not trying to fix the issue, then it's 60 days of XP with a KNOWN SECURITY FLAW even if you don't specifically know it; someone else likely does.

If MS cannot release a damn schedule, they're admitting they don't know shit about the bug, and they further can't even get themselves together to PLAN A FIX. As such, they are incompetent to handling the issue, and at the very least, the security bug was not elevated to the higher ups to take it seriously.

Indeed, the only reason you find his actions irresponsible was BECAUSE HE RLEASED IT. Note that if he didn't release the info, the bug still exists, as it has had for years on XP.

Makes me wonder who you would be blaming in those precious, all critical 60 days of yours, if neither he or MS released info about it, and your systemS got totally owned. The Google employee because he didn't release the info so people could have protected their systems if MS failed, or MS for having the security whole in the first place and being jackass slow (sorry to all the true donkeys out there) in fixing (if they did) the flaw.

Full disclosure is the only way to get any company, bad or good, to act, because the social norms of success, working products, and fixing problems is the only pressure that is universally accepted.

Re:Dear Microsoft

[arose]

Another "feel sorry for Microsoft's security people, they are overloaded" post. If that is the case MS need to get more people on the problem, since patches can be worked on independently (interaction testing aside). Microsoft is responsible for any and all holes in Windows, they made it, they aren't some underpaid third party trying to fix someone else's fuckups.

60 more days of vulnerability to skilled blackhats without any recourse for the general public or even any guarantees that the issue will actually be addressed during that time frame would be very irresponsible.

Re:Dear Microsoft

[Zan+Lynx]

I tried really hard on a new project at work to get full test coverage and the best I could do was 75% branch coverage.

It is ridiculously time consuming to try to cover every code path.

Re:Dear Microsoft

[toxonix]

Companies like Microsoft don't allow outside hackers/security experts to set expectations and timelines for them. Any patch has to go through a lot of project management and release delivery coordination, testing etc. Why would the hacker demand satisfaction except for his own publicity and credit? Why would Microsoft oblige him? I certainly wouldn't.

Re:Dear Microsoft

[devent]

Why don't somebody reverse engineer an exploit for the Apache server or the Linux kernel? Should be very easy, because the patches are all open source. But somehow you can reverse engineer the binary blob patches from MS for new exploits?

Re:Dear Microsoft

[IICV]

Absolutely nothing, because nobody has ever successfully used the Windows Help system in the history of the universe. It is a slow, worthless, unhelpful piece of shit whose only saving grace is that you never actually see it.

Re:Dear Microsoft

[Golddess]

Ormandy should have published the bug, the code, and all his correspondence with Microsoft on d+61, not d+5

Why? TFA is not clear where the 60 day thing originated (whether it was Ormandy who opened up with something like "lets see if we can get a fix within the next 60 days" or it was MS who said something like "lets shoot for 60 days and see how things pan out"), but what if it had been 90 days? 365 days? 7300 days (20 years)? Why does 60 days sound reasonable to you?

Re:Dear Microsoft

Would you say that the resource locater is... tragically hip?

Re:Dear Microsoft

[mcrbids]

Cite: TFA.

What is this "TFA" of which you speak?

Re:Dear Microsoft

He could have told them he would wait the 60 days and release it then instead of moving it up to 5 days.

Re:Dear Microsoft

[StayFrosty]

All Microsoft had to do was agree to release a fix within 60 days. That would give them plenty of time to think the patch through and test it thoroughly. Microsoft did not agree to release a fix within 60 days so the exploit was released. Microsoft had their shot to handle this properly but they blew it. It's not Ormandy's fault that Microsoft did not cooperate.

It's also important to note that Ormandy released the exploit on his own, not as a representative of Google. What he does in his free time shouldn't really be Google's business. It's not fair to point fingers at Google because of the actions taken by one of it's employees in their free time.

Re:Dear Microsoft

[StayFrosty]

Home users will be protected a week earlier.

Re:Dear Microsoft

[mcgrew]

Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents.

When I first got XP (lost my driver disks and there were no 98 drivers available and XCP had ruied the system) about five or so years ago, the day after I installed it I could no longer get on the internet. The cablemodem was laying on the floor, so I figured the cat had knocked it off and broken it.

The provider's support staff said "no, we can see your modem from here and it's fine. Your network card is probably bad." I figured I'd make sure it wasn't the cables first and spend the ten bucks for a network card. But first I had to reinstall XP, because after installing the software that came with my CD burner it said that the software was unstable (I'd never had any problem with it) and disabled it. After Windows disabled it it wouldn't uninstall, and I got the message about the burner software being unstable every time I rebooted.

So I reinstalled Windows and the device drivers and viola -- the internet was back. It turned out the Microsoft had replaced my perfectly good, non-MS network driver with one that simply did not work. So it was pretty obvious that they don't take it super seriously so as not to introduce a new flaw; there wasn't even any flaw in the driver they replaced -- I checked the net chip's web site, and there were no issues. MS screwed up because obviously they just don't give a rat's ass.

Re:Dear Microsoft

You're still missing the point. If Microsoft queues up the patches, everyone's still secure. Microsoft does occasionally release out-of-cycle patches to address serious, publicly-known vulnerabilities. But most exploits are written from their patches.

How the hell am I still secure? There's a known, un-patched vulnerability on my machine. The malware writers are going to look at the patch as soon as it is released regardless of whether it is out-of-cycle or not. If someone else knows about this exploit (quite possible,) there's another week available for them to take advantage of the vulnerability.

Back on topic, if Microsoft had agreed to the 60-day time frame that was offered, they would have had 60 days to come up with and test a patch and it could have gone out in-cycle.

Re:Dear Microsoft

[StayFrosty]

I think the reason for the Patch Tuesday release is to avoid disclosing the vulnerability to all and sundry. Otherwise, if the company doesn't want /to cannot test and deploy patches whenever they get released, there's going to be a period of time during which they have a vulnerability which is not only known, but attackers have the fix for it and can determine exactly what was changed to close it, thus making it very easy to generate an exploit for it.

I don't understand how sitting on a patch for a couple of weeks solves this problem. Any large company is going to be testing the patches internally whether they were released on-cycle or out-of-cycle. Either way, there is going to be a few days with un-patched machines. Waiting until patch Tuesday is irresponsible because the exploit is un-patched for an extra couple of weeks. If there is a patch, there's a hole and if one person was able to find it, chances are someone else did too. Security by obscurity just does not work.

Re:Dear Microsoft

[dhavleak]

Another "feel sorry for Microsoft's security people, they are overloaded" post.

It's actually a "in the real world, things are complicated and take time" post.
.

If that is the case MS need to get more people on the problem, since patches can be worked on independently (interaction testing aside).

There are going to be times when they have more people than they need. There are going to be times when they have less people than they need. There are going to be times when multiple exploits are reported against the same component, so no matter how many people you have, it's the same core team that these get routed to, so one bug gets a higher priority and worked on immediately and one gets a lower priority and goes next -- even if the severities are enough that the team is working flat-out and around the clock. You're oversimplifying again! Re-read the mythical man-month. It's pretty basic & pretty ancient now, but even back then it was realized that merely throwing more people at the problem does not reduce the time it takes to solve it. You've also glossed over the inherently serial nature of some of those tasks: find appropriate owners/experts, understand severity, impact, exploitability, mitigating factors, create patch, test patch, deploy patch. The guy disclosed the vulnerability on a Saturday, and went public the following Wednesday, for crying out loud!
.

Microsoft is responsible for any and all holes in Windows, they made it, they aren't some underpaid third party trying to fix someone else's fuckups.

Nobody claimed otherwise. Not even MS.
.

60 more days of vulnerability to skilled blackhats without any recourse for the general public or even any guarantees that the issue will actually be addressed during that time frame would be very irresponsible.

That is the current status, because of Ormandy's actions. There were no exploits in the wild, until Ormandy released his exploit publicly. That implies, nobody knew about it, until then. So you just posted an argument based on very tenuous, very shaky logic.

Re:Dear Microsoft

[arose]

There were no exploits in the wild

Prove it.

Re:Dear Microsoft

[PsychoSlashDot]

How do we know some black hat didn't discover it eight years ago and kept it to himself and used it for his own gain?

We don't know that. We strongly suspect that. Why? Because we've got a lot of companies out there that reverse engineer and analyze known threats. I'm not saying they're infallible, but when random system-owning executables start showing up, they get ripped apart to find out how they replicate and spread.

Given that there's an entire industry dedicated to blocking known threats, Occam's Razor tells us that it's more likely there isn't a secret exploit in use than that there is.

Again it's not a guarantee, but disclosure at the five day mark is a guarantee, which is my point.

Re:Dear Microsoft

[dhavleak]

There were no exploits in the wild

Prove it.

http://en.wikipedia.org/wiki/Negative_proof

i.e. The burden is upon you to prove that one existed.

Re:Dear Microsoft

[arose]

There were no exploits in the wild

That is a positive statement, burden of proof is on you, no matter if you can prove it or not. The correct is "no known exploits", but that casts an entirely different light and isn't what you said.

Re:Dear Microsoft

[dhavleak]

There were no exploits in the wild

That is a positive statement, burden of proof is on you, no matter if you can prove it or not.

There were no known exploits in the wild. Happy? Or do you want to play more word games?

Re:Dear Microsoft

[QuietObserver]

Don't usually respond to ACs, but you truly deserve recognition for this effort. Your comments are thorough, concise, and do not needlessly nitpick or belittle the GP (sure you refer to the GP as small minded, but considering the criticism is on, as you repeatedly point out, a single, simple aspect of a complex problem, I do not find that particularly condescending).

Although, I do think part of your comment could have been phrased more humorously. Here is what I recommend as one possible replacement:

Makes me wonder who you would be blaming in those precious, all critical 60 days of yours, if neither he or MS released info about it, and your systemS got totally owned. The Google employee because he didn't release the info so people could have protected their systems if MS failed, or MS for having the security whole in the first place and being snail slow (sorry to all the true snails out there) in fixing (if they did) the flaw.

Re:Dear Microsoft

[PsychoSlashDot]

You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.

He decided 60 days was a reasonable schedule. More, he decided 5 days was too long for a corporate entity to tell him what they were going to do. He set not one but two bars, and decided that if MS wasn't going to meet his second bar, he was going to lower his first bar to the same point. How is this not childish?

In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop being vulnerable whilst keeping the rest of their computer functional. Not distributing the information quickly would be irresponsible

In this particular case, that registry hack remains useless to anyone who's got a box likely to be vulnerable. You and I, and everyone else who ignore the part of every KB article that warns us how dangerous registry editing is are more likely to follow best practices and have generally secure systems than Joe Wait-For-Patch-Tuesday. Well, it's Joe who just got screwed because Joe won't ever know about any registry edits until his system is screwed over (perhaps tomorrow). Great.

And that's hyperbole. He is demanding nothing for his own profit.

Wait. There are no smilies or other indications that you're making a big joke. Nothing for his own profit. A Google security engineer opting for early disclosure doesn't profit more than if he'd kept his mouth shut for a reasonable amount of time? Sorry, but if he'd waited... say until a patch was actually released, we'd never have heard of this guy's name. Instead he - and Google - are in the press as white knights protecting Joe from the evil Microsoft. Yeah. No profit at all. Just a pat on the back and a nice write-up in his personnel file in HR.

60 days was a reasonable maximum IFF he knew that Microsoft was willing to work hard on the problem. They failed to convince him. Next time they should try harder.

Nonsense. 60 days was a reasonable maximum for a patch to be released. It doesn't matter if he thought they were going to make that deadline, or if he thought elephants could fly. He was willing to give them 60 days. He should have given them 60 days. It's not relevant to anyone's safety (in a positive way) how confident he personally feels about the deadline being met. Hello, narcissist.

We have a contract in place. MS should be fixing flaws like this in our systems no matter who reports them to them.

We who? Joe? Show me where Joe's EULA entitles him to patches with X days of disclosure of exploit? Your company as perhaps a subscriber to Software Assurance or something similar? Please clarify.

It's always nice to blame someone else for your own faults. In this case, you know how to disable the function whilst leaving everything else running. If the PCs get owned you are to blame.

That's awesome. I've got a support infrastructure in place for the couple thousand PCs I support across about a hundred customers. They range from small shops with one or two PCs and zero budgeted IT funds through a couple multi-office customers where I can reasonably use things like GPO to make registry changes. Included are customers who have potentially fifty or more PCs scattered one-to-a-location over 50km diameter of land.

Get this. Relying on Microsoft Update for small businesses is reasonable. Until Captain Awesome at Google decides to increase the risk to those machines from unknown to guaranteed. I assure you the small shops appreciate the unex

Re:Dear Microsoft

[AK+Marc]

If their response is "I don't care about you" then explain why the other person should care about them. From your response, since Microsoft doesn't care about him at all, then he erred by giving Microsoft advanced notification. He should have just released it to the public on the first day.

Re:Dear Microsoft

[arose]

It's not a word game. Your assumption that there were no exploits undermines your conclusion that disclosure was counterproductive.

Re:Dear Microsoft

[dhavleak]

It's not a word game. Your assumption that there were no exploits undermines your conclusion that disclosure was counterproductive.

And I concede the point again. There were no known exploits in the wild. However, the assumption isn't mine (it's been reported on). And you still have no data proving that there were indeed exploits in the wild. You need that data to prove that the disclosure was not damanging. You need that, because as soon as he disclosed the exploit, instances of it were seen in the wild. The correlation is strong. The only justification for Ormandy's actions is proof-positive that there are exploits in the wild. You need to provide that proof, or concede that your stance is incorrect. You pointed out the tiny little trivial flaw where I should have added the word *known* in my post -- and I have conceded that point twice now. I ask you again -- are you done playing word games?

Re:Dear Microsoft

[arose]

And I concede the point again.

No, you continue to ignore it.

And you still have no data proving that there were indeed exploits in the wild.

I didn't claim that there are exploits in the wild, only that systems were vulnerable, particularly to skilled adversaries who are likely to find exploits on their own.

You need that data to prove that the disclosure was not damanging.

Well, I didn't make the claim.

The only justification for Ormandy's actions is proof-positive that there are exploits in the wild.

Matter of opinion. It depends on how big of a threat you consider targeted stealth attacks to be compared to automated attacks against known vulnerabilities.

You need to provide that proof, or concede that your stance is incorrect.

Proof of what? That vulnerabilities have been exploited within overly long "known issue to patch" period? Here's a recent one. Proof that it had definitely been exploited before? I didn't make the claim and didn't base my stance on it.

I ask you again -- are you done playing word games?

Are you done unduly placing the burden of proof onto everyone who disagrees with you?

Re:Dear Microsoft

[zuperduperman]

5 days doesn't sound like a long time for a "negotiation". While it's certainly true that Microsoft should jump on any such vulnerability quickly I'm having a little trouble buying that 5 days is enough time to conclude the other party is acting in bad faith. Insisting on a fixed schedule for a bug fix to a brand new problem in any product in just 5 days (or 3 days really - one day for the initial contact, 3 days of waiting and then on day 5 he releases) sounds like a random and unreasonable demand. It probably takes that long just to escalate it to the right group in Microsoft for analaysis.

I think this engineer (or perhaps, even worse, Google) really *wanted* this zero day in the wild and thus deliberately made unreasonable demands and then published before MS had a chance to respond.

Re:Dear Microsoft

[dhavleak]

And I concede the point again.

No, you continue to ignore it.

Let me concede it a third time, and address it a third time. I said "there were no exploits in the wild". I should have said "there were no known exploits in the wild". I am not making an assumption here. I am going on what was reported. How does this constitute ignoring the point? Please be specific.

And you still have no data proving that there were indeed exploits in the wild.

I didn't claim that there are exploits in the wild, only that systems were vulnerable, particularly to skilled adversaries who are likely to find exploits on their own

It's not about you making the claim. The existence of exploits in the wild is the only thing that justifies Ormandy's action.

You need that data to prove that the disclosure was not damanging.

Well, I didn't make the claim.

It's not about you making the claim. The existence of exploits in the wild is the only thing that justifies Ormandy's action.

The only justification for Ormandy's actions is proof-positive that there are exploits in the wild.

Matter of opinion. It depends on how big of a threat you consider targeted stealth attacks to be compared to automated attacks against known vulnerabilities.

100% incorrect. Releasing the exploit has real, tangible, negative impact. You need more than "opinion" to justify that action. You need facts. Do not hide behind "opinion".

You need to provide that proof, or concede that your stance is incorrect.

Proof of what? That vulnerabilities have been exploited within overly long "known issue to patch" period? Here's a recent one. Proof that it had definitely been exploited before? I didn't make the claim and didn't base my stance on it.

Proof of an exploit for the vuln Ormandy discovered, that existed before he made his exploit public -- what did you think I was asking for?? Why are you linking to an unrelated zero-day?? The prior existing exploit is the only thing that justifies Ormandy's action.

I ask you again -- are you done playing word games?

Are you done unduly placing the burden of proof onto everyone who disagrees with you?

It's very a simple point. You chose to defend Ormandy's action, and this is what you need, to defend him successfully. Logic led us down this road.

Re:Dear Microsoft

[dhavleak]

Why are you linking to an unrelated zero-day??

Just read that link and realized that this was not a zero-day. Either way -- I don't see how this supports Ormandy's action. As I said before: if he had followed responsible disclosure policy, and then got fed up of waiting, he would have a point. Saturday through Wednesday? No leg to stand on.

Re:Dear Microsoft

[quanticle]

From what I read, it seemed like it was Ormandy who proposed the 60-day window. Given that, it was disingenuous for Ormandy to publish after only 5 days. He could have sat on the bug for another 55 days, and then if Microsoft hadn't provided a fix, he could have come out and said, "I have informed Microsoft repeatedly over the past 60 days. They've done nothing, and therefore I'm publishing." That position would have earned him a lot more support in the security community.

Re:Dear Microsoft

[drsmithy]

If the OS running the architecture does not require a reboot after applying security patches, then I don't need to schedule for downtime... no matter how the architecture might be.

You're missing the point. If your architecture can't handle a planned outage of a single server, then it's even less capable of handling an _unplanned_ outage. Ie: it's broken.

Could it be that you haven't yet heard of the "just restart the service" approach or even hot-patching?

Sure. I just have enough experience to know that individual server uptimes are not what matter.

Re:Dear Microsoft

[c0lo]

You're missing the point.

Oh, do I?
My problem is: why should I restart an entire OS when and stop answering to HTTP requests (for example) only the email server needs to be patched? (granted, I made the mistake of co-hosting them on the same box and choosing a Windows OS).

Hang on... You know what? You are absolutely right, I'm missing a point here. And this point is: how come the inability of Windows OS-es to handle security patching without a reboot became a case of "broken architecture - not being able to handle planned outages"

My respects

Re:Dear Microsoft

[totally+bogus+dude]

The point is they'll likely set aside a particular day each month or fortnight or week for testing patches. It's much easier to run a test against a bunch of updates all at once than against every individual update. Additionally, it's not only large companies that want to be able to test patches before pushing them out. Most companies don't have the resources to do patch testing at all (or more accurately: the cost/benefit ratio doesn't work out as it's easier to just fight the fire afterwards on the rare occasion a patch does break something) but some companies do need to, and not all have resources to have staff available to test the patches whenever they are released, but instead have scheduled times when they can do that.

So the idea is to minimise the time window between "everyone-and-his-dog being able to exploit the vulnerability" and "patch deployed to all machines". It is guesswork, of course. But basically: if the vulnerability isn't being actively exploited then it's not really a threat, just like the hundreds of other vulnerabilities that exist in your software right now which nobody has discovered. If you publish a patch to fix it for the use of the general public, then absolutely everyone with an interest in exploiting machines can easily determine how to take advantage of the vulnerability in any machine which isn't yet patched. So the time window between releasing the fix and having the patch installed is arguably the point where you're most vulnerable to it.

And it doesn't really matter if a handful of people know about the exploit. The likelihood of any one random blackhat attacking YOUR infrastructure is very small. But the bigger the pool of random blackhats grows, the more significant that very small likelihood becomes.

I mean, the sin has already been committed in that there's a vulnerability that can be exploited. There is no perfect fix for it, just like there's no way to "make it right" after you accidentally kill somebody. All you can do as a vendor is play the statistics and do whatever you can to maximise the % who don't get compromised by the vulnerability. As an end-user, all you can do is try to maximise the likelihood of you being in the % who don't get compromised.

Re:Dear Microsoft

[drsmithy]

Oh, do I?

Yes. Even after I explained it.

My problem is: why should I restart an entire OS when and stop answering to HTTP requests (for example) only the email server needs to be patched? (granted, I made the mistake of co-hosting them on the same box and choosing a Windows OS).

The point is: why should you _care_ if you have to restart a server ? If your architecture is sound then doing so will have no - or extremely minimal - impact.

And this point is: how come the inability of Windows OS-es to handle security patching without a reboot became a case of "broken architecture - not being able to handle planned outages"

It's got nothing whatsoever to do with Windows. If your architecture cannot maintain its SLAs in light of a planned server restart, then it is broken (or your SLAs are inappropriate). This is true no matter what the OS is.

Individual server uptimes are essentially irrelevant outside of e-dick waving. What matters is service availability. A single server cannot be relied on to deliver high levels of availability, regardless of OS.

Re:Dear Microsoft

[c0lo]

It's got nothing whatsoever to do with Windows. If your architecture cannot maintain its SLAs in light of a planned server restart, then it is broken (or your SLAs are inappropriate). This is true no matter what the OS is.

Hmmm... Now I see your point. A case of "Law of unintended consequences", I'd say. Let's explore it, shall we?
Because:
1. corporate customers used Windows (which requires a reboot after applying security patching. And everyone knows that security patches are as unavoidable as death-and-taxes)...
2. ... and they didn't/couldn't invest enough in a "proper architecture" to maintain their SLA...
3. ... they asked Microsoft to release their security updates at a slower pace...
4. ... which translated in the adoption of the "responsible disclosure - gimme 60 days or more to patch" monstrosity.

The customers are to blame, why should one stick the teeth into Microsoft's neck? Or, for the matter, in Tavis Ormandy's? What a world!

Re:Dear Microsoft

[drsmithy]

The customers are to blame, why should one stick the teeth into Microsoft's neck?

Or RH, or SuSe, or Sun - they're all equally incapable of providing high availability with single-server dependencies.

Re:Dear Microsoft

The customers are to blame, why should one stick the teeth into Microsoft's neck?

Or RH, or SuSe, or Sun - they're all equally incapable of providing high availability with single-server dependencies.

Citation needed in regards to equally

Re:Dear Microsoft

[StayFrosty]

The point I was trying to make is that big companies can still do their testing once a month if they so choose. They will be using WSUS anyway so it would be a simple process. Testing always takes a few days after the patch is released anyway. If a patch is released right away, more machines are protected sooner. It's that simple.

Re:Dear Microsoft

[arose]

I am not making an assumption here. I am going on what was reported. How does this constitute ignoring the point? Please be specific.

It's the assumption that if there are no exploits reported, there are none. I don't have any sources on hand, but I've read reports on black market trading of undisclosed/unknown vulnerabilities. Obviously we don't know about the vulnerability at hand, but it's good to keep in mind that skilled, less then ethical, hackers are going over Microsoft products with a fine toothed comb, possibly more obsessively then whitehats.

Back to the point, you concede the language used, not the conclusions based on the assumption, I'm not saying you are not considering it, but I don't think you are considering it enough.

The existence of exploits in the wild is the only thing that justifies Ormandy's action.

A repeatedly stating an opinion doesn't strengthen it. Even your initial post allowed for circumstances that apply here, such as ease of mitigation. It's actually a strong point in favor of disclosing "prematurely" (responsible disclosure as such is actively debated within security circles, it's not generally considered a no-brainer) if decisive action from the vendor is indeed absent. Shut down one auxiliary service and you are safe -- can't do if you don't know you should...

Proof of an exploit for the vuln Ormandy discovered, that existed before he made his exploit public -- what did you think I was asking for?

I hoped you weren't demanding proof for things I didn't claim existed, burden of proof is not on my, the rest is opinion.

Either way -- I don't see how this supports Ormandy's action.

Fine, don't take it as support, take it as context. If Google, indeed, got bitten by delayed action on Microsoft's part, that kind of thing affects ones actions.

As I said before: if he had followed responsible disclosure policy, and then got fed up of waiting, he would have a point. Saturday through Wednesday?

Plenty of time to evaluate the severity and project a timeline, doesn't have to be set in stone, just reasonable and doable. Combine with the fact that administrators don't need an actual patch to keep their systems safe from this particular exploit... Not to mention sudden prompt action, can't beat that one.

You chose to defend Ormandy's action, and this is what you need, to defend him successfully. Logic led us down this road.

Based on your axioms, yes. I reject the axioms as they are subject to debate.

Re:Dear Microsoft

[totally+bogus+dude]

And the point I was making was that if they do that, then you don't simply risk having machines unpatched against a known and actively exploited vulnerability for up to a month, but you pretty much guarantee it. Your stance assumes that a vulnerability that has been privately reported is not only likely to be being actively exploited already, but is also likely to be being exploited against a sufficiently large number of machines so as to be a concern for the majority (or even a significant minority) of users.

Whether or not this is true is largely guesswork, but there are lots of security firms who monitor for unusual traffic patterns and any vulnerability that is being widely exploited tends to be picked up. If we trust the methods they use for collecting data on wild exploits, then it currently appears that they neither assumption is true.

As you say, it takes time to test patches, so there is an unavoidable window during which the fix will be published and widely available but not yet deployed to machines, putting them at very high risk (because anyone who wants to can create a tool to exploit the vulnerability). This will occur whether you immediately release the patch or wait. If you know exactly when the patches are coming out (even if you don't know what they're for) then you can plan around testing them at a particular time, thus reducing that window of maximum exposure as much as possible. If patches are issued as soon as they're ready, then the people doing the testing need to drop all their other activities on the floor at a moment's notice in order to get it out ASAP. That's usually not practical, as the people doing the testing have other tasks that they need to perform.

Re:Dear Microsoft

[rtfa-troll]

He decided 60 days was a reasonable schedule. More, he decided 5 days was too long for a corporate entity to tell him what they were going to do. He set not one but two bars, and decided that if MS wasn't going to meet his second bar, he was going to lower his first bar to the same point. How is this not childish?

I've already addressed this and your later point that 60 days should be 60 days elsewhere. Basic summary; he is weighing the risks for two different groups. One small but more critical and one larger but with less critical needs. Any wait damages the first group. Waiting only helps the second if Microsoft is actually working.

In this particular case, that registry hack remains useless to anyone who's got a box likely to be vulnerable. You and I, and everyone else who ignore the part of every KB article that warns us how dangerous registry editing is are more likely to follow best practices and have generally secure systems than Joe Wait-For-Patch-Tuesday. Well, it's Joe who just got screwed because Joe won't ever know about any registry edits until his system is screwed over (perhaps tomorrow). Great.

If Joe's system is important then he needs to learn to hire a decent security consultant and redesign it. If it isn't, he needs to learn to do backups and should either shutdown or reinstall when compromised.

Wait. There are no smilies or other indications that you're making a big joke. Nothing for his own profit. A Google security engineer opting for early disclosure doesn't profit more than if he'd kept his mouth shut for a reasonable amount of time? Sorry, but if he'd waited... say until a patch was actually released, we'd never have heard of this guy's name. Instead he - and Google - are in the press as white knights protecting Joe from the evil Microsoft. Yeah. No profit at all. Just a pat on the back and a nice write-up in his personnel file in HR.

I have a different interpretation (I believe him that it was a private project; I believe that Google won't be happy with him about this; I believe that he didn't think fully through about this being associated with work) but since this is all speculation about the mind of a third party and either of us could be wrong I'm not going to speculate further.

We who? Joe? Show me where Joe's EULA entitles him to patches with X days of disclosure of exploit? Your company as perhaps a subscriber to Software Assurance or something similar? Please clarify.

Sorry, I wasn't as clear as I should be. We should be read as "companies I work for". I'm not a representative so I'm definitely not going to state exactly who that means. I personally simply don't have a copy of Windows. These companies pay for basically every possible assurance/license/maintenance thing Microsoft is willing to sell. At that level their competitors make it very clear that they will work immediately at maximum effort indefinitely until they have a fix for a problem if I invoke the word "security".

That's awesome. I've got a support infrastructure in place for the couple thousand PCs I support across about a hundred customers. They range from small shops with one or two PCs and zero budgeted IT funds through a couple multi-office customers where I can reasonably use things like GPO to make registry changes. Included are customers who have potentially fifty or more PCs scattered one-to-a-location over 50km diameter of land.

Get this. Relying on Microsoft Update for small businesses is reasonable. Until Captain Awesome at Google decides to increase the risk to those machines from unknown to guaranteed. I assure you the small shops appreciate the unexpected service.

It sounds like they aren't using tools appropriate for the job. If this were repeated often enough they might begin to question that. Unfortuantely, I think they will likely be subject to occasional random virus

Re:Dear Microsoft

[rtfa-troll]

When people do that there is a strong tendency for the company to come in around stage three, find a compliant judge and police group and have the security researcher's computers confiscated to avoid stage 4 and beyond. Whilst this is effectively illegal behaviour by the company and shouldn't happen, it's common enough that I really think it rules out your (otherwise theoretically wise) advice. Have a look at CISCO's attempts to surpress vulnerability information or the Massachusetts Bay Transportation Authority for example. Ormandy has actually come out of this quite well considering. Basically you either go fully "responsible" or you come out with the full info with no warning so that it's too late to sue. There is no reasonable middle ground.

Re:Dear Microsoft

[dhavleak]

Either way -- I don't see how this supports Ormandy's action.

Fine, don't take it as support, take it as context. If Google, indeed, got bitten by delayed action on Microsoft's part, that kind of thing affects ones actions.

(1) Google said he was acting idependantly. Google advocates responsible disclosure. You cannot have your cake and eat it too. Was he acting idependantly or not?
(2) If Google got 'bitten' and this affected their behaviour (their = google or Ormandy), then the obvious course of action is to deploy Ormandy's patch internally, and responsibly disclose the issue to MS.
.

Based on your axioms, yes. I reject the axioms as they are subject to debate.

Very well, state your axiom(s) then! What do you consider as necessary and sufficient conditions for a researcher to release exploit code within 5 days notice to a vendor?
.

Plenty of time to evaluate the severity and project a timeline, doesn't have to be set in stone, just reasonable and doable.

Now here's where we're dabbling with opinion. This is your opinion. You don't know what email exchange transpired between Ormandy and MS. You don't know if they gave any kind of estimate or not, and if Ormandy just decided he didn't like it. You don't know if they replied saying "we're trying to figure this out -- we'll get back to you". You don't know jack shit about that communication -- but we all know this for 100% certain -- an exploit absolutely does exist in the wild because Ormandy made sure it does, and at least one site has been compromised, and visitors to that site are vulnerable.

Re:Dear Microsoft

If they can't guarantee that they will fix a serious security hole in 60 days, they are doing it wrong. There is no real excuse for not being able to do that.

Re:Dear Microsoft

[arose]

What do you consider as necessary and sufficient conditions for a researcher to release exploit code within 5 days notice to a vendor?

I do not consider it the duty of a security researcher to contact a vendor prior to full disclosure at all, meaning that no conditions have to be met. However I do think that responsible disclosure is a good policy.

There certainly isn't any agreement on what the proper waiting period should be. First of all, what do you consider a reasonable time limit, and why?

In this case the vulnerability is easily mitigated, so that alone is reason enough to release early in my opinion. A point you ignored.

an exploit absolutely does exist in the wild because Ormandy made sure it does

An exploit absolutely exists in the wild because Microsoft sold people a vulnerable OS. Blackhats do not need help to write exploits, script kidies are far less dangerous. We can actively protect ourselves against it because we have been informed.

and at least one site has been compromised, and visitors to that site are vulnerable.

So? Unless you can look into the future and have perfect information of the past, you can't prove that public disclosure hasn't averted more harm then it has "caused" (as said, this only exists because of MS, their bug, period) any more then I can prove that it has.

Patched bugs are exploited on a larger scale then this, and visitors who haven't patched are still vulnerable. Successful responsible disclosure doesn't prevent small scale, unsophisticated attacks. Proactive people and organizations, on the other, hand are now safe due to disclosure, as mitigation for this bug is dead simple and MS has gratuitously provided a patch to their serf^Wvalued users.

So what is the nature of the known infections? Are we talking about a few more zombies that would have otherwise be gotten with trojans/unpatched machines/unsuported versions of Windows or the massive data compromises that result from targeted attacks?

Re:Dear Microsoft

[toxonix]

I have no problem with his releasing it to the public. He's free to do whatever he wants with it. But wasting his time trying to get his fix fast tracked through the pipeline smells of attention whoring. I think there is a lot of attention whoring in the security community.

Re:Dear Microsoft

[cbiltcliffe]

This entire post is completely irrelevant shit.

If a bad patch is released, that blue-screens 10% of home user systems, what the heck difference does it make whether it was released on the second Tuesday of the month, or the last Friday?
It's still going to blue-screen the machines, because home users - surprise, surprise - don't test patches before they're auto installed.

And as far as the 300 people in the fictitious org continually testing and retesting...
Do you not have to test if patches are released once a month? Or did you just not read a thing of what I posted?
Those who wish to schedule updates on a once a month basis already have the tools from Microsoft to do it. Why should Microsoft then delay updates to those who _don't_ want to schedule updates, just because the whiners are too lazy to use the tools already provided? Sure, if they needed to do full testing of every single patch that comes out, it's a lot of work. But they could make the choice to do it once a month, rather than every 2-3 days, if patches were released with no schedule. That's their choice. But it's not a decision that I would make, and I don't have the option of doing what I want, because of Microsoft's stupid patch release schedule.

In the worst case scenario of non-scheduled patches, you're right: the organization can never patch up to date.
But with scheduled updates, they can never patch up to date, either, because they test everything after it's released. Not only that, but they don't even have the option of staying up to date without testing, because Microsoft holds onto patches for as long as a month, because some whiney blowhard doesn't want to have to deal with WSUS.

Then you tell me to "STFU and stop blaming the cautious among us."
In my opinion, "the cautious among us" are the ones that apply security updates as soon as possible, so some chinese/russian/whatever hacker can't get into my system tomorrow. You're leaving it open, because "this patch might damage my precious uptime!" That's not cautious, that's lame.

And if your in-house apps are so fragile that any given security patch might cause them to completely fall over broken, then you need to fire your programmers, and do some hiring.
The only reason a patch should break an app like that is if it's fixing a design flaw of Windows, rather than a programming error. And the number of design flaw patches for Windows is minuscule. The only one I remember in recent memory was this one:

http://support.microsoft.com/kb/968389

and you still have to actually enable the new functionality by a registry edit. Not exactly something that's going to randomly bork dozens of well-written internal apps.

Re:Dear Microsoft

[AK+Marc]

And what I read made is sound like he's reported multiple problems before and has been mislead as to the timeline of the fix, so he wanted something concrete or he'd just release to the public. From how it sounded, he played the game multiple times before and was unhappy with the results, and this wasn't attention whoring, but a fed up professional that's not going to follow the rules of someone who he thinks doesn't follow their own rules.

Re:Dear Microsoft

[dhavleak]

I do not consider it the duty of a security researcher to contact a vendor prior to full disclosure at all, meaning that no conditions have to be met.

So it would have been okay for Dan Kaminsky to post details of the DNS vuln. in 5 days (or even without notifying the vendors)?
.

However I do think that responsible disclosure is a good policy.

Very conveniently straddling both sidees. If it's 'good policy' why is it okay to not follow 'good policy'. What is the opposite of 'good policy' -- could it be 'bad policy' by any chance? Unless there are extenuating circumstances? So the same question yet again, asked in another way -- what would be the necessary and sufficient extenuating circumstances for not following this so-called 'good policy'?
.

First of all, what do you consider a reasonable time limit, and why?

It doesn't matter -- you rejected my axiom, remember? But I'll avoid skirting the question: responsible disclosure allows for variation in that time limit, because it recognizes that not all security bugs and fixes are equal. In this case, 5 days was not enough.
.

In this case the vulnerability is easily mitigated, so that alone is reason enough to release early in my opinion. A point you ignored.

Not ignored. If it's so easily mitigated, why did Ormandy think it was necessary for MS to drop-everything-now and address this issue?
.

An exploit absolutely exists in the wild because Microsoft sold people a vulnerable OS.

A vulnerability exists, because of MS. The exploit exists because of Ormandy.
.

Blackhats do not need help to write exploits, script kidies are far less dangerous.

You keep hiding behind this tenuous thread, but you refuse to take the burden of proof that Blackhats had found this hole and exploited it before Ormandy's action. Wonderful. You also ignore the strong correlation between Ormandy's going public and the attacks occuring in the wild. Wonderful.
.

We can actively protect ourselves against it because we have been informed.

Who is we? There are people who don't follow this stuff, or don't have the capability to even understand it. Ormandy should have followed responsible disclosure and only if MS was dismissive should he have resorted to this action. 5 days is not enough time for them to do anything.
.

as said, this only exists because of MS, their bug, period

How many more times can I concede this point, before you realize that it does not absolve Ormandy of acting irresponsibly?
.

Patched bugs are exploited on a larger scale then this, and visitors who haven't patched are still vulnerable. Successful responsible disclosure doesn't prevent small scale, unsophisticated attacks. Proactive people and organizations, on the other, hand are now safe due to disclosure, as mitigation for this bug is dead simple and MS has gratuitously provided a patch to their serf^Wvalued users.

Serfs? It sounds like you just have it in for MS's user's plain and simple. This has absolutely no bearing on the fact that Ormandy was irresponsible.
.

So what is the nature of the known infections? Are we talking about a few more zombies that would have otherwise be gotten with trojans/unpatched machines/unsuported versions of Windows or the massive data compromises that result from targeted attacks?

Relevance?

Miscreants

[davebarnes]

Hooligans
Juvies

Re:Miscreants

Hooligans
Juvies

Microsoft
FTFY

Nice quote.

[ArbitraryDescriptor]

Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software.

Ballmer should be able to spin that into a win: "To be safe, all XP users are advised to avoid open source software stuff. It has viruses."

Re:Nice quote.

[hedwards]

He's right about that. If they do that then they'll never get onto that nasty virus infested interweb I keep hearing about. Seeing as most OSes have relied upon the open source TCP/IP stack from BSD and a significant portion of websites are served via the likes of Apache and similar open source programs.

Re:Nice quote.

[WarJolt]

Winsock is not open source... Like DOS, Microsoft "Owns" it.

Actually there were several TCP/IP vendors for windows, but they wanted BSD style API. They couldn't fork(), so they created winsock.

Re:Nice quote.

[Onymous+Coward]

I thought there were a variety of Winsock implementations, each independently owned. And as I (cursorily) read it, Winsock the standard was not owned by MS.

Unbelieviable

[Jean-Luc+Picard]

A security flaw being exploited, via the Internet no less ! I am shocked and outraged ! /s

Re:The bad guys thank you Tavis.

5 days isn't a much time to wait before releasing this crap on the rest of us.

Speak for yourself, Windows user.

Re:The bad guys thank you Tavis.

[QuantumG]

The bad guys have been using the flaw for years.. it's just the bottom feeders who are allowed by the cartel to have a go now.

5 days is more than enough time for Microsoft to release a hotfix and disable the vulnerable code.

Let me get this straight...

[pem]

Google is supposed to learn morals from Microsoft and its toadies?

5 days spent trying to get a fix within 60 days

[msbhvn]

According to this tweet: http://twitter.com/taviso/status/16005411316 Those 5 days were spent trying to negotiate a fix within 60 days. So much for the 'he only gave them 5 days!' arguments.

Re:5 days spent trying to get a fix within 60 days

[QuantumG]

Yeah, he's not nearly as mean as I would be. I would demand actual action within that 5 days.. including pushing out a patch to disable the vulnerable code.

Re:5 days spent trying to get a fix within 60 days

Gee, thanks for letting us know you read the article.

In a message on Twitter last week, Ormandy said that he released the information because Microsoft would not commit to producing a patch within 60 days. "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days," Ormandy said on Saturday.

Re:5 days spent trying to get a fix within 60 days

[shird]

I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225

From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."

For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx

Re:5 days spent trying to get a fix within 60 days

[Deathlizard]

Then give MS an ultimatum that you'll release the exploit in 60 days if they ignore it. It gives you the same result you were looking for and reduces the chance of a wild exploit.

Giving them 5 days to set a priority on an exploit when they have to deal with hundreds, if not thousands of exploit reports per patch cycle, then releasing exploit code because you didn't like the answer they gave you is not helping your case, Microsoft, or the internet for that matter.

Re:5 days spent trying to get a fix within 60 days

[uncqual]

Indeed this is the minimum I would expect from someone.

I'm sure that I'm not the only person who, after googling "Tavis Ormand" as part of evaluating him for a job, would decide to take a pass -- he obviously has poor judgment, is vindictive, and doesn't think outside his little box. Imagine what he would do if he disagreed with an internal change. Actually, I might be more likely to hire Terry Childs for a job than this guy -- at least Childs has had time to reflect quietly on the wisdom of his decision.

I would hope that Google would consider if they trust this guy. By being identified as a Google employee, he's sullying the name of Google. As a consumer of Google, I would prefer that this guy doesn't have access to code running on my computer or seeing my demographic data that Google may collect on me or my family.

Re:5 days spent trying to get a fix within 60 days

[Todd+Knarr]

Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them. First rule of tactics: never ever tell your enemy what you plan to do and then turn around and give him time to organize a reaction to your plans. The only thing that gets you is jumped from behind by the ambushes your enemy's set up along the route you told him you'd be following. If your enemy won't negotiate, forgo the threats and simply proceed with the plans you made for that contingency.

Re:5 days spent trying to get a fix within 60 days

[abigsmurf]

No matter how you spin it. Waiting 5 days is not waiting 60 days.

Re:5 days spent trying to get a fix within 60 days

wtf makes this guy so special compared to the hundreds of security firms and other people that have also submitted security vulnerability reports to microsoft
especially to the point where this guy thinks he can dictate how fast microsoft is to work on it's software

the difference in mentality with google vs microsoft works is when something is vulnerable on a google system, google can simply pull the plug, and turn it back on once they've spend a few minutes or several months fixing whatever issue there was (yay! eternal beta). for microsoft, once they release a fix there's no guarantee everyone is going to apply it. and if the fix makes the problem worse, there no guarantee they'd be able to repeal the patch either.

the point is people writing _web_ based services can STFU

Re:5 days spent trying to get a fix within 60 days

[codegen]

At least You and Ormandy got a response. My group found a security hole in the OSPF router in Windows 2000 Server around 2003. We sent the details into Microsoft and we never got a response. You would think a security report from the Canadian military would at least rate a "we have received your report and are investigating"

Re:5 days spent trying to get a fix within 60 days

[Deathlizard]

Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them

Yeah, kinda like what MS is doing now, except not only Microsoft but the Entire Security Industry is smearing him.

At least if he waited 60 days the Security Industry would blame MS for sitting on the exploit report for two months.

PS: Don't try to justify a idiotic stunt with Microsoft hate. If this guy pulled this stunt with any other OS, Slashdot would be pulling out the torches and pitchforks (as they should) and you know it.

Re:5 days spent trying to get a fix within 60 days

[arose]

No matter how you spin it. Not being cooperative is not being cooperative.

JUNE 15th...

[mbeckman]

A day that will live in Ormandy.

Re:JUNE 15th...

[grcumb]

A day that will live in Ormandy.

Too soon
Too soon
The 15th of June...

(Apologies to Guy Fawkes.)

Re:JUNE 15th...

[mlgeek]

G-Day, the landing in Ormandy.

Microsoft: are you pleased with yourself?

[mrsam]

This is a question that should really be asked of Microsoft

Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.

He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?

If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?

Re:Microsoft: are you pleased with yourself?

[QuantumG]

It's not just Microsoft... the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff.. well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online. You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.

Re:Microsoft: are you pleased with yourself?

[Todd+Knarr]

Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.

Re:Microsoft: are you pleased with yourself?

Yeah, they refused to agree to his timetable, because it's just him trying to hold them hostage. There are times when you need a fix in a given timeline, and then there are times when the person wanting things fixed is basically extorting you.

I see nothing about Microsoft refusing to fix it. I see somebody at Google being a douche though.

Re:Microsoft: are you pleased with yourself?

[10101001+10101001]

It's not just Microsoft...the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff..

No, I'm pretty sure his point was Microsoft has created "a rube-goldbergian monster" where one has to even *worry* about whether the browser can automatically open a help file and execute arbitrary stuff. Microsoft's seeming mindset in the 90s was very much one of "oh, I'm sure no one would try to do anything malicious" as they slap yet another large, buggy component into another one. Now that all sorts of software is dependent on that interconnectivity, Microsoft can't simply scrap the concept without losing tons of customers and they can't reasonably audit the whole OS because it's simply too complex. Instead, Microsoft is left to try to create large whitelists, zones, and patches. In short, it's very much a Microsoft problem.

well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online.

Not exactly true. The risk on most other platforms is accessing stuff you got online when you're not (ie, malicious zip files, or whatever) that exploit flaws in a decompressor or decoder. Those are isolated enough, though, to be provably correct at some point.

You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.

Granted. While something might not be online today and all its inputs might be from safe sources, nothing is to stop someone else from using it later in an online app or unsafe data (the issues with the reference jpeg code being buggy comes to mind). It's this disregard for security that got Microsoft in the mess it is today. Thankfully, almost every other company is sane enough to be willing to break backwards compatibility, even on a large scale, if it's the best approach to avoiding complexity issues that are near unresolvable. The real shame is Microsoft doesn't have the sense to do the same; but then, Microsoft wouldn't be Microsoft if they had.

Re:Microsoft: are you pleased with yourself?

[ZorbaTHut]

You [i]can[/i] say "oh, that application isn't connected to the network, it doesn't need to be secure". However, you have to keep a very close eye on how it communicates with insecure applications, otherwise your so-called "secure" app is actually not secure in the least.

Re:Microsoft: are you pleased with yourself?

Well, his goal was to get this fixed in a reasonable time-frame. Looks like he "won" either way. The only reason Microsoft tries such stuff is because so many bug reporters have no problem waiting for _years_ for Microsoft to fix a security issue and some people at Microsoft seem to think that's normal.

Re:Microsoft: are you pleased with yourself?

[dropadrop]

Yeah, they refused to agree to his timetable, because it's just him trying to hold them hostage.

Or maybe, based on their old track record he wanted to make sure they are committed? I understood he wanted to hear of a reasonable timetable, not force his own.

There are times when you need a fix in a given timeline, and then there are times when the person wanting things fixed is basically extorting you.

Are you saying these are exclusive? I work on a software project, and whatever I feel the motivation of somebody disclosing a critical vulnerability is, you can be sure I will work on getting a patch out first, and figuring out the rest later. What makes you feel this was not a time when you need a fix in a given timeline? For critical vulnerabilities there should be no problem committing to 60 days.

I've had cases where vulnerabilities have been exploited in the wild and we've had to reverse engineer the problem out of the exploits. I've also had cases where somebody has just announced they will go public with a vulnerability in X days, you can be sure I prefer the later, and I'm actually grateful that they gave us a week or two in advance.

Re:Microsoft: are you pleased with yourself?

[Pastis]

It's not unreasonable to think that if someone @ Google has encountered the issue, someone else outside of Google might have. The reporter claims it.

Google has still probably thousand of computers affected by the problem. They want the problem fixed. In a less important manner, they also want their (thousands of) customers protected as well.

It's their responsibility to make sure that their machines and their customers are not at risk.

Microsoft is the only one who can not only properly fix the issue, but investigate the source and fix similar issues.

Not being able to come up with at least a commitment to fix the issue is bad.

Re:Microsoft: are you pleased with yourself?

[arose]

Extorting? Release a fix, or people will be vulnerable? That much was true ever since the bug was introduced. Fix it within 60 days or I'll inform people that there is a problem with the system you sold them? What kind of extortion are you talking about?

Re:Microsoft: are you pleased with yourself?

...leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope...

Jesus, my smugmometer is off the charts. You are aware of the inherent complexity of an operating system, yes? This isn't a problem exclusive to Windows. Look at the size (in lines of code) of an average Linux distro, or of Mac OSX. We are far from the days in which one person would be able to understand any entire substantial application, let alone an operating system. So blaming a company for writing an operating system that is complex is like blaming a whale for being big.

Not that I'm excluding MS from any responsibility, but this is not a trivial thing.

The elephant in the room

[Ironchew]

Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.

Begging the question: was it Slashdot?
[/humor]

Re:The elephant in the room

Or even better, was it code.google.com?

Re:The elephant in the room

Begging the question

Raising the question

Re:The elephant in the room

[dangitman]

Begging the question: was it Slashdot?

No, it was a site dedicated to open source software, not poorly edited sensationalistic articles and tired jokes.

Re:The elephant in the room

[grcumb]

Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.

Begging the question

Raising the question

No, I think 'begging' was appropriate, because Microsoft, by being just glib enough to mention that it was a FOSS site, but too coy to name it, manages to create the suspicion that any FOSS site might be spreading malware to their poor defenceless XP clients.

Very lawyerly, indeed. And a fine example of Begging the Question -albeit without actually asking a question. 8^)

Re:The elephant in the room

No, it was a site dedicated to open source software, not poorly edited sensationalistic articles and tired jokes that I browse twice a day.
Fixed

hcp protocol

[shird]

I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).

I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.

Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.

Re:This is classic Tavis.

[Sir_Lewk]

The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.

Re:The bad guys thank you Tavis.

[hedwards]

Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit. I don't think anybody really believes that he'd report it then release it in that kind of a time span if there wasn't more going on than just that. 60 days is more than enough time for MS to release a proper fix, but the reality is that MS does sit on bug fixes because they can't or won't spend the time to take it seriously.

Yeah...

[Greyfox]

Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.

NOT zero day attack.

[slashkitty]

This is a 5 day attack. MS had 5 days warning... and maybe a few more before others were exploiting it.

Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.

Re:NOT zero day attack.

[Moddington]

Not to mention he released the vulnerability last Thursday, and we're only hearing about an exploit now. I'd really like to know what definition of "Zero-day attack" they're using, because I certainly can't reason out what it is.

Re:NOT zero day attack.

[Barny]

Zero-day as in how many days it has been since a security patch for the flaw, until the flaw is patched, its considered "Zero-day".

Re:NOT zero day attack.

[andrewagill]

That renders the definition useless. By that logic, unpatched flaws that have existed for years could be called zero day.

I hope the term zero day does away, or at least that someone defines the word day in this context.

Re:NOT zero day attack.

[Barny]

Well, I haven't been part of the warez scene for a long time, but way-back-when a "0-day warez" meant a crack for a game or program that was not detectable by the software maker and would usually patch as normal.

Not really that new a term, just that since we are now much more security conscious now its gained an extra field.

Re:NOT zero day attack.

0-day is something that's not public knowledge yet.

News of 0-day things are silly because by then, they definitely aren't.

As soon as even one AV/anti-malware vendor knows about a new sploit, it's not 0-day anymore.

And they will know as soon as some of their honeypot spiders stumble on a site not protected with current IP blocklists against such spider sources.

Re:NOT zero day attack.

[slashkitty]

wikipedia: "A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability."

The key here is that was not "undisclosed to the software developer".

As to others, it was disclosed before there were actual live working attacks.

I've been involved in several software vulnerability disclosures. Non of these I would consider a Zero day. For example, disclosing a problem with major banking site... This was after 6 months of them ignoring me.

Re:NOT zero day attack.

[arose]

No, 0-day is the when the vulnerability is known to be actively exploited before it's publicly disclosed. If exploits pop up the day of disclosure that is still a 1-day. Patches don't even enter the picture.

Re:NOT zero day attack.

[Barny]

That definition defeats itself, as soon as we know theres a working attack, we know the exploit exists, so then its no longer 0-day...

Ormandy did excercise responsible disclosure

[Todd+Knarr]

Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

Re:Ormandy did excercise responsible disclosure

[MeNeXT]

you are assuming his system would be safer when in fact it is NOT.

Re:Ormandy did excercise responsible disclosure

[oddTodd123]

I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

Hey wait a minute. Who installed Microsoft software in the first place? Clearly it's the users and admins who put the systems at risk, not Microsoft!

Re:Ormandy did excercise responsible disclosure

[drinkypoo]

So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS

This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.

Had he kept his mouth shut, your systems would be safer.

No, they would seem safer, but be less safe.

Re:Ormandy did excercise responsible disclosure

[Khyber]

No they wouldn't be any safer.

This exploit has been known about in security circles for AGES.

And MS has had several warnings, one from myself included, about four years ago.

Re:Ormandy did excercise responsible disclosure

[Barny]

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

Re:Ormandy did excercise responsible disclosure

[linux4u1]

interesting except you never know that a black hat hacker has not been exploiting this for 9 years and not sharing his exploits, bugs should be disclosed very soon because you never know how long someones been using said undisclosed exploit. if you find a bug don't you think others find it too. at the same time some company's release said products with that bug and just might have known about it when it was released and didn't want to address said issues.
anyway theres no point for software to ever be perfect if a company wants you to buy a new version. how many patches have been re-patched because they added new problems. anyway these are some of the main problems with closed source software.

Re:Ormandy did excercise responsible disclosure

[__aaqvdr516]

It seems to me that Ormandy did not follow all the rules of responsible disclosure as defined by Microsoft and injected some of his own (or Googles) rules into the process that is already established at Microsoft. Here's the link to MS's responsible disclosure site:
http://www.microsoft.com/security/msrc/collaboration/ecostrat.aspx

Absent is any mention of a timetable from MS's site. MS's procedure is the result of talks in 2001-2002 with multiple vendors as to how they were going to handle reporting of bugs/exploits. If Google handles their bugs differently, that's Google's business. Ormandy would have been kept in the loop regarding the time table for the fix but he took it upon himself to bypass the whole procedure.

Re:Ormandy did excercise responsible disclosure

[Onymous+Coward]

and presumably was never exploited

...

Re:Ormandy did excercise responsible disclosure

[Todd+Knarr]

Yes, Microsoft's rules for "responsible disclosure" are undoubtably "Don't mention this to anybody. Ideally including us. Just shut up and ignore the problem.". But that's not the definition of responsible disclosure the rest of us use, and Microsoft isn't the one who sets the rules for the rest of us. Unless Microsoft can pull out a signed contract where Ormandy agreed to abide by their rules, and I doubt they can.

Re:Ormandy did excercise responsible disclosure

[Your.Master]

His employment contract with Google should be relevant:

http://www.google.com/corporate/security.html

Re:Ormandy did excercise responsible disclosure

[Yvanhoe]

This had the desired result: it forced Microsoft to step up and fix the problem.

Has it ? I am not sure a patch is available yet.

Re:Ormandy did excercise responsible disclosure

[Todd+Knarr]

Yep. And he followed Google's policies. Microsoft failed to comply with responsible disclosure by refusing to commit to fixing the bug, at which point Ormandy followed responsible disclosure rules by disclosing the vulnerability through proper channels. Note that that is the "disclosure" part of "responsible disclosure". Much as Microsoft might wish otherwise, responsible disclosure does not mean "Let the vendor leave the vulnerability in place while denying any vulnerability exists.".

Re:Ormandy did excercise responsible disclosure

[Snowhare]

Exactly. People keep glossing over this part of Tavis's original post:

Protocol handlers are a popular source of vulnerabilities, and hcp:// itself
has been the target of attacks multiple times in the past. I've concluded that
there's a significant possibility that attackers have studied this component,
and releasing this information rapidly is in the best interest of security.

Tavis released it because MS seem uninterested in committing to fix it and because the bad guys probably already had it.

Re:Ormandy did excercise responsible disclosure

[Todd+Knarr]

Had he kept his mouth shut, your systems would be safer.

No, my systems would not have been safer. They would have been just as vulnerable to attack, and attackers would have been just as likely to be exploiting the vulnerability. If a vulnerability exists, you should assume that if you know about it the bad guys are 100% likely to know about it and 100% likely to be actively attempting to exploit it. The only difference is that, if this disclosure hadn't happened, I wouldn't know I needed to check whether my systems are in fact vulnerable (they aren't, because I've disabled the service the vulnerability exploits) and wouldn't know what steps I could take to secure them until Microsoft released a fix. Nor would I even necessarily know when Microsoft fixed the problem. They could very well (as they've already been shown to have down) back-doored the fix into another update and not made any explicit mention of it, leaving me open to the very real possibility of leaving myself vulnerable because I looked at the description of the update, saw that it didn't address anything that affected me immediately (eg. it fixes a remotely-exploitable vulnerability in a service I don't run or have blocked at my firewall), classified it as low priority and put off installing it.

Re:Ormandy did excercise responsible disclosure

[Todd+Knarr]

Article ID: 2219475 - Vulnerability in Help Center could allow remote code execution. The related security advisory was first posted June 10th, and the KB article with the FixIt in it was first referred to on June 11th.

Re:Ormandy did excercise responsible disclosure

Are you really assuming that the google programmer is keeping critical files or information on a box running Windows XP?

His system is safer by virtue of him being able to identify security flaws like this. Most people get trojaned and lose the ability to operate their computer. This guy gets trojaned and has the know-how to identify the vector of attack.

Re:Ormandy did excercise responsible disclosure

[Khyber]

More than already had it, we were already using it.

Well, not me. I turned HCP off a long time ago. For gaming, remove all unnecessary cruft.

Re:Ormandy did excercise responsible disclosure

[__aaqvdr516]

Even within Google's policy there's nothing that says "the bug reporter should ask for or receive a timetable for bugfixes". It does say "We take security issues seriously and will respond swiftly to fix verifiable security issues. Some of our products are complex and take time to update. When properly notified of legitimate issues, we'll do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible." Ormandy could have simply made a post about how he felt about MS's bug handling procedures. He chose the wrong way to do so.

Re:Ormandy did excercise responsible disclosure

where are people getting this shit about MS being unwilling or uninterested in fixing this.

Quote "We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week"

They told him they would give him a schedule at the end of the week. but somehow he decides before the end of the week that he is gonna release it anyway even though they have told him they will give him a schedule. Tavis has been a complete twat and I hope he gets raked over the coals for it, his behaviour was childish and idiotic and placed millions of users at risk because he had a hard on and could not wait one more day for the promised release of the schedule to him.

Re:Ormandy did excercise responsible disclosure

[mikazo]

No, they would seem safer, but be less safe.

No, they actually would be safer because now that the exploit has been publicly disclosed, a much more vast audience of malicous hackers knows about and can use the exploit. If you assume someone knew about the exploit before (which is a safe assumption), it was probably only a small number of people because I'm sure some hacker isn't going to share something he thinks he's the only one sitting on. While security through obscurity is definitely a bad thing, it's at least somewhat better than having the hole posted for the world to see, getting even more publicity because of the surrounding debate on the subject.

Re:Ormandy did excercise responsible disclosure

So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS

This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.

Had he kept his mouth shut, your systems would be safer.

No, they would seem safer, but be less safe.

You need help with your basic logic.

Before the Google engineer opened his mouth you may have been vulnerable to one or two very clever hackers.
Those very clever hackers probably have a few more tricks in their bag we don’t know about leaving your computer equally vulnerable to them. But now you are vulnerable to every poser script kiddy that can use copy and paste.

I think it’s pretty safe to say that more computers on the internet are less safe today thanks to Google.
I wonder if he was the same Google engineer who was using an old version of flash with IE6 on an un-patched Windows XP box; since he has no regard for security.

Re:Ormandy did excercise responsible disclosure

Important Microsoft Windows emergency hotfix. We've now added a "responsible disclosure" clause to our EULA. TY and have a nice day.

Re:Ormandy did excercise responsible disclosure

[casings]

He chose the correct thing to do because it gets a fix quicker from Microsoft. Your flawed logic is why full disclosure is the only way to release bug report.

Who the fuck wants to read an article where someone is whining about how long microsoft takes to fix an important vulnerability he has found. People want to know the vulnerability so that you can protect your systems against it. I don't give a fuck about who reports a bug or when. Tell me as soon as you know, so that I can protect my systems UNTIL a patch is given.

When did slashdot become infected with morons?

Re:Ormandy did excercise responsible disclosure

[DaveV1.0]

You are saying Ormandy forced Microsoft to release the fix. Let's see how true that is.

Ormandy reported the problem to Microsoft.
Microsoft told Ormandy they would need 5 days to get a release schedule.
Ormandy releases the exploit and code 2 days later.

That doesn't seem to match up with what you are saying. Looks like you are a liar.

Re:Ormandy did excercise responsible disclosure

[drinkypoo]

If you assume someone knew about the exploit before (which is a safe assumption), it was probably only a small number of people because I'm sure some hacker isn't going to share something he thinks he's the only one sitting on.

You're assuming that a small number of people can't affect a large number of people, but that's an invalid assumption given the existence of botnets. They start from a small number of infections. They may typically start by targeting a single vulnerability. In reality it is irrelevant how many people know about an exploit; what's relevant is how many competent people know about it.

While security through obscurity is definitely a bad thing, it's at least somewhat better than having the hole posted for the world to see, getting even more publicity because of the surrounding debate on the subject.

Uh, what? What you just said is that although security through obscurity is a bad thing, it's better than the opposite. Either it isn't, or it's a good thing.

What's good is when operating system vendors are motivated to fix security holes. And if "the community" doesn't do "this kind of thing" then they won't be. They need to know that we the users mean business! If they're going to send us this shit, and then be unresponsive when we complain, they're going to have to deal with the consequences. If you think that makes the users responsible for the unresponsiveness of the company, well, you may have a point. What would be better than disclosing these vulnerabilities would be to turn around and walk the other way and just put your effort into an operating system maintained by someone (or, you know, everyone) who cares about security.

Re:Ormandy did excercise responsible disclosure

[Blakey+Rat]

When did slashdot become infected with morons?

I'm guessing the instant the first person signed on with an opinion different than yours. Because obviously anybody not toeing your line is a moron.

Am I right?

Look, there's tons of *valid* opinions about how this guy handled the bug disclosure. Calling people morons doesn't help the discussion and just makes you look like an asshole.

Re:Ormandy did excercise responsible disclosure

You need help with your basic logic.

Really? I think you need the help, actually.

I think it's pretty safe to say that more computers on the internet are less safe today thanks to Google.

No, it's not.

It's completely safe to say that the blame lies squarely with Microsoft for refusing to committing to a schedule for a fix, in accordance with the rules of responsible disclosure. Your attempt at shifting the blame is transparent and shameful. It's also frankly counter to what you're (probably) trying to accomplish, in that it puts Microsoft in an even worse light.

Re:The bad guys thank you Tavis.

If you read the article, MS promised to give a timetable before the end of the week (which, as it happens, is five business days from time of reporting, at latest). Tavis instead gave them two and a half business days. This in contravention to Google's clearly-stated policies.

Re:The bad guys thank you Tavis.

[sohp]

Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.

A means to pose the Question....

"To Cloud or not to Cloud"

Deduced, simply by the source (Google) their effort and the time line.

The Bigger question is...

Who controls YOUR relationships?
You or others?

Think about it.

Services.msc, use it!

[jack2000]

HA help and support center, i've had that service disabled since i installed this thing long ago! If you try to run anything with the hcp protocol it flatout tells you:

Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.

So you can disable that service and be at east that nothing is going to happen to you or your users.

Re:Services.msc, use it!

[QuantumG]

So why didn't Microsoft push out that command via Windows Update as soon as the bug was reported? They have the power to prevent a single user from being attacked by this vector, why didn't they? They could even make the message more informative.

Re:Services.msc, use it!

[jack2000]

not something Microsoft would want to do, even though the Help and support center is of questionable use. That's why i disabled it in the first place.

Re:Services.msc, use it!

That's not quite how Windows Update works. There's no WinSSH service.

If MS were to just leave something open in Windows through which they could "push out that command", well, let's just agree that that could be a Bad Thing(tm).

Re:Services.msc, use it!

[Tim+C]

They couldn't push out the command, but they could certainly push out a security/high priority "update" that merely disables the service - everything pushed out via Windows Update is an executable, after all.

Re:Services.msc, use it!

Regardless of security threats, that's one of the services you should have disabled by default. I disabled it years ago when I first got XP, along with a slew of other useless but always-on services.

It's not like there's any real information in Windows Help anyway. It just eats up memory.

Re:Services.msc, use it!

[nedlohs]

Of course it is an update can update whatever it wants, from the kernel to which services are enabled, to arbitrary registry settings, to installing an application.

And they have a mechanism to push updates - which the user can turn off of course.

So that is exactly how Windows Update works.

Re:Services.msc, use it!

Because maybe some people would complain about suddenly not being able to use help? I can't imagine the feature would exist if noone in the world used it.

Conspiracy!

In a battle between multi-billion dollar entities, this is clearly a play by Microsoft to fight Google.
"We told you so! We told you so! ...Oops... is that our dev's handle in the comments? Better fix that..."

MicroSilly

[defective_warthog]

BUYER be Aware. Is that enough said? Oh well it will make some more time for the MS admins out there. I wonder if they don't just leave this crap out there to continue to support their partners? I have over ten years on Linux as mostly a home user. I guess it is a case of "Stupid is as Stupid does". Peace Yall.

Re:The bad guys thank you Tavis.

Just a heads up! Your post is self contradictory.

"Full disclosure is the only truly ethical approach to take to protect the consumer," I hear you say. It would seem that full disclosure, in this case, did *not* protect the consumer.

Microsoft may deserve whatever you think it does. The ones most affected are the users, however. And despite how much I hate the average person, they *don't* deserve whatever you think Microsoft does.

There are positives and negatives for full disclosure and non-disclosure. As with anything in life, I like to think that extremes of anything are a bad way to go about things.

HOW TO SCORE?

Own goal Microsoft, or goal Google?

Somebody from the UK here? You are experienced in own goals, so what do you say?

Well, I'm not Tavis

[pem]

but if I had done what he did (negotiated diligently yet fruitlessly with MS for five days), I would probably reserve judgment for whether or not I was "pleased with myself" until I saw how Microsoft acted when they received my next bug report...

Of course, I might also be "pleased with myself" if my employer had a policy of huge bonuses for published zero day exploits. I dunno whether this happens or not, just sayin' I'd be very pleased to get such a bonus, and would work quite hard to try to get another one.

Bullshit

Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.

Re:Bullshit

[poetmatt]

its still not a zero day exploit, and if MS felt it was critical they could have devoted teams to take care of it. MS of all companies certainly doesn't have an absence of programming talent.

So far, they sure are silent, aren't they.

Re:Bullshit

[Anpheus]

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

Even Red Hat won't release a patch in 5 days without regression testing all the affected builds. Not only that, but he decided that during the weekend before patch Tuesday.

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Re:Bullshit

[poetmatt]

yes, lets blame the guy who finds the exploit. clearly your efforts must be focused the right way. Instead of that we still don't have a patch. Patch tuesday stuff is prepared in advance, so it's not even remotely an excuse.

Re:Bullshit

[logjon]

It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.

Re:Bullshit

[jvillain]

I don't pay didley for Fedora and they have fixed bugs in hours when I reported them. In fact that did that again just today. You would think that if you paid fat bank for an OS you would get at least as good of service.

Re:Bullshit

[hairyfeet]

Not to mention Mr Google Douchebag told them on the weekend before patch Tuesday which is the absolute WORST time they could possibly be told, with everyone on crunch time trying to get the QA done before releasing the patches to the public. And he expects them to drop everything just to deal with him? What an asshole.

I don't care WHO the vendor is, there should be at least 30 days warning given before public disclosure of an exploit like this. Is Google gonna pay for all those infected PCs to get cleaned up? Considering their employee only gave FIVE days before releasing into the wild they should. I don't care which OS you use, Windows, OSX, Linux, this is bad for ALL of us, as these newly infected computers will slow down the Internet and clog servers with spam, and that affects everyone!

Re:Bullshit

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Yes. Yes there is. Remember, this is Microsoft. If they actually cared, they could release a patch in hours, not days. But it isn't that high of a priority. With FOSS Software, it is often a part time project. But time is still made to fix bugs. On the other hand, Microsoft has definitely has the resources to deal with this. Normally however, they don't need to. Microsoft will just sit on bugs because it doesn't become their top priority as soon as it is verified, like such a bug should. Once on the general Web though, it does. I, for one, support full and immediate disclosure for this reason. Remember, just because Ormandy was the first to publish the vulnerability, doesn't mean he was the first to discover it, TYVM.

One other reminder from a helpful coward; Security through Obscurity, is no security at all.

A.C.

Re:Bullshit

[victorhooi]

heya,

Gosh, I love it how people here love to applaud Microsoft on their *spectacular* security record, and demonise all those who would dare to challenge that.

Please, Google already got bitten with Microsoft's shonky products and poor security in the past, my guess is that Google/Ormandy felt that they were already at risk from this exploit from malicious people in the wild, so they might as well get it out there, so that at least people could be aware of it. It's a public service, for crying out loud.

Remember, just because Ormandy was the first to publicise the exploit, certainly doesn't mean that he was the first to find it. In fact, statistically, the odds are stacked quite against that. Look, full-disclosure has already been proven to be the method that works. And shonky vendors, who are too lazy to look after their users will try and demonise full-disclosure all they like, but at the end of the day, it just looks like them covering their behinds.

You can come out and be a stupid little prat and insult Ormandy all you want, but at the end of the day, you've done...err...squat? I don't remember seeing any security disclosures published by "hairyfeet". Compare to him, and other security researches, I have a feeling both you and I know squat all. I certainly couldn't have found the exploit, even if I was looking.

At least this way, people *know* about the exploit, and it's visible. Better the devil you know, than the one you don't, and all that. Look, if your computer got hit with a drive-by-exploit, and you *didn't* know about about it, are you honestly telling me you'd be happier? You should be thanking security researchers like this, who shine a light on the swiss cheese that is Microsoft's security (yes, this is Windows XP, so perhaps things have improved. I'm not in a position to comment).

Cheers,
Victor

Re:Bullshit

[10101001+10101001]

... and he then went on to release a hotfix which didn't actually fix the bug.

Did you expect him to release a patch to uninstall Windows? It is, after all, pretty much a mindset flaw in design that allows for the exploit. In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE. Given that IE is very much an outward facing system, this means that vast parts of Windows which would otherwise be protected with simple security considerations now have to contend with otherwise irrelevant exploits. And because these extensions are grouped together, anyone who takes advantage of any one feature offered becomes vulnerable to any vulnerability in any extension (hence, Firefox and Opera are vulnerable because they apparently take advantage of Windows' protocol handling).

And what has Microsoft's response been to these problems? Whitelists. Zones. Javascript smudging to try to avoid XSS exploits. Some extra compilation options and stack protection. It's like trying to turn a strainer into a boat by patching all the holes.

Re:Bullshit

[Mr.+Freeman]

"And he expects them to drop everything just to deal with him?"

Of course not. He expects them to fix their software. There's a difference. It's not his fault there's a fucking bug. Microsoft doesn't have to deal with "him". They just have to deal with their software.

Re:Bullshit

[Eskarel]

A bug for an OS which is two versions behind current and almost a decade old, should not be higher priority than fixing current versions of the software. 5 days is also far too short a time for a company the size of Microsoft to even get a team together to look at the problem, let alone come up with an adequate solution, properly test that solution, distribute that solution and get that solution tested and deployed by customers.

This guy was a dickhead and if he'd done it to anyone other than Microsoft he'd have been burned at the stake, ffs 5 days?

Re:Bullshit

[mgblst]

Yes, I guess it is his fault for finding it when he did, he should have found it years ago. How can we let these shoddy researchers get away with stuff like this.

In no way could Microsoft be blamed for any of this at all.

Re:Bullshit

And he expects them to drop everything just to deal with him?

No, he expected them to "make a commitment" to fix it within a reasonable time. But -- oh, no -- you don't treat the grandees at MS that way, even if it's a reasonable request. They'll address the problem in their own, royal, good time.

Well, fuck them -- he showed them what pressure can mean. Good for him.

Re:Bullshit

[rtfa-troll]

It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.

The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person. The only justification for delaying disclosure is if Microsoft is working maximally to fix the vulnerability. Once the information about the vulnerability was released you could disable your XP systems and wait for MS to react, or you could disable that function in your XP installation. If you have an important ("business critical") system then you of course have mitigation systems in place such as firewalls where you can change rules. This can only be done once you know about the flaw.

The fact that the vulnerability was know about for five days, but the vulnerable people were not told put them at risk, for example from inadvertent disclosure. It was Microsoft's job to convince Ormandy that they were doing enough work to justify his delay. I'm not sure about his judgement in this case; maybe there was some misunderstanding because MS security people were overloaded with other work. More likely they just aren't willing to put in enough effort to be convincing because they don't want to delay product schedules. A guarantee that "we will make every effort to resolve this within 60 days if it's as important as you say it is" would almost certainly have been enough and is certainly completely justified. In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.

Re:Bullshit

[rtfa-troll]

It took me 20 minutes looking at Ormandy's description to realise that there's a perfectly adequate work around (disable help links). It would take me another 20 minutes to write a mail saying

Yes, we can see your problem with help links. To be sure we can release this we'll have to do some checks to see that this isn't a broader vulnerability; that normally takes us about five days, though it could be up to three weeks if it turns out to be complex. If we can't fix this within 60 days we'll send out an advisory telling people to disable the help function. After all, they can always open it manually.

Maybe I'm such a super genius that I should be taking over as head of MS security section on a million a year salary, and this isn't something that would occur to a normal person who'd been working some tens of years in security, but somehow I doubt that.

Re:Bullshit

"my guess is that Google/Ormandy felt that they were already at risk from this exploit from malicious people in the wild"

I hope google is not relying on a discontinued operating system for their business operations, it's not like they're amateurs.

Re:Bullshit

[Patch86]

Last I heard, XP still had about 60% market share to Win7's 10%. I'd say that should dictate where their priorities are, seeing as that is where all their customers are.

(Oblig.). If Ford had sold 1 million Focus's which are now being driven, but have now released a new version and sold only a few thousand, which one should be the safety priority? The new one (should have upgraded, you jerks!), or the one which is most used on the road?

Re:Bullshit

[abigsmurf]

There's a difference between finding an exploit and making exploit code public before any company with a widely distributed product could possibly react.

He's no better than a malware developer. At least they tend to keep their code secret. There will always be bugs and exploits in any code.

Re:Bullshit

[drsmithy]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

How is using HTML for documentation "shoehorning" ? A help system is pretty much a textbook example of where hyperlinking is a good idea.

Re:Bullshit

[Kalriath]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

Wrong, wrong wrong. Trident is the component that renders HTML content (like HTML help) and that's as integrated into the system as KHTML is to KDE, and WebKit is to Mac OS X. I'm so sick of hearing bullshit like that spouted all over the place.

Re:Bullshit

[naff89]

XP was released 10 years ago and people upgrade their computers much more frequently than they buy new cars.

If it was a model of car that was 30 years old and someone found a serious safety problem, the unanimous verdict would be to buy a new, modern car.

Re:Bullshit

[Mana+Mana]

> Not only that, but he decided that during the weekend before patch Tuesday.

WTF? Is CBP 5 days? Where is it written that it's 5 -business days-? Shoot, make sure that it's 5 non Jewish Holiday business days maybe, too, if reporting bugs in New York? Are Christian Holidays OK? If so why? I have some Pagan Holidays coming, how about them? Do they count? How about El Malaguena, count or no count? Ahhh, fuckit, how about we make it 5 days, that should cover weekends, holidays and the like. Why don't they do that, ah, wait, but they did.

Re:Bullshit

5 days is also far too short a time for a company the size of Microsoft to even get a team together to look at the problem

A company the size of MS, especially with their track record, should have a team ALREADY put together to handle just these types of issues. Oh, I'm sorry, they already do.

And 5 days is plenty of time to simply release a patch that disables the "help" function pending a permanent solution. Or are you really going to try to claim that more than 3 people actually use the MS help center?

Re:Bullshit

[MoHaG]

Not if the new car is slower, uses more fuel, is harder to drive and uses more fuel, mostly because of added safety features... (Most of it features protecting drunk pedestrians that walking front of you (DRM))

Re:Bullshit

[dhavleak]

Actually, I think he was blaming the guy that released the exploit, for releasing the exploit.

Re:Bullshit

[ultranova]

A bug for an OS which is two versions behind current and almost a decade old, should not be higher priority than fixing current versions of the software.

If the OS is irrelevant, then publishing its bugs is also irrelevant. If the OS is not irrelevant, then your comment is irrelevant.

5 days is also far too short a time for a company the size of Microsoft to even get a team together to look at the problem, let alone come up with an adequate solution, properly test that solution, distribute that solution and get that solution tested and deployed by customers.

It takes a whole week of work for Microsoft to forward an email to the bugfixing department? I know that Windows lowers productivity, but still: WTF?

This guy was a dickhead and if he'd done it to anyone other than Microsoft he'd have been burned at the stake, ffs 5 days?

The guy was not a dickhead and he didn't do it to someone else, he did it to Microsoft.

Re:Bullshit

[Bacon+Bits]

Sure, he did something right (full disclosure when the vendor fails to act or work with you). He also did several things wrong (arguably early full disclosure, a patch which did not fix the issue). Good intentions and laudable goals do not absolve you of criticism, let alone criticism of what you do incorrectly.

I'm all for full disclosure for irresponsible vendors, but I primarily see it as a check against those vendors who ignore or neglect vulnerabilities they know about through responsible disclosure. A good vendor who acts upon vulnerabilities in a timely manner and works with researchers deserves the benefit of responsible disclosure. If they fail.

My thinking:
1) If exploit in the wild --> immediate full disclosure (there is no benefit to responsible disclosure here)
2) If irresponsible vendor --> full disclosure
3) If no exploit ITW and responsible vendor --> responsible disclosure to vendor with time limit based on severity and impact

Honestly, there ought to be some form of general "vulnerability trust agreement," but vendors generally don't like to hear that their products need fixing. It would be really nice if CERT could coordinate this kind of thing between researchers and vendors better.

Re:Bullshit

If it was a model of car that was 30 years old and someone found a serious safety problem, the unanimous verdict would be to buy a new, modern car.

Except that XP isn't 30 years old. It's about 10 years. Is that old? Yes. However, remember that upgrading costs money. Vista/7 licenses may not be extremely expensive, but it is still more than I pay to go from Lenny to Squeeze. Furthermore, the average user, doesn't care. They wouldn't even know about this exploit. And I don't blame them. When it comes to cars and I, I expect the manufacturer to notify me if there is a serious issue. Otherwise, I just keep driving until something breaks. I don't care about cars. Much like a computer is an appliance to the average user, a car is an appliance to me. And I am going to keep using that appliance until it becomes unusable. When it breaks, I'll just buy a new one.

The point is, whether computer nerds like it or not, people aren't going to upgrade. So Microsoft had better support XP until they do.

Re:Bullshit

Windows XP will be discontinued on April 8, 2014.

Re:Bullshit

[gbjbaanb]

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

Exactly. I mean what can you expect from a company with a measly 88,180 employees

Re:Bullshit

Size should have nothing to do with it. A guy sitting in his basement could move faster than Microsoft. Obviously that's what happened here. Microsoft took shortcuts with security, now they're paying for it... enough said.

Re:Bullshit

[gd2shoe]

The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person.

To be perfectly clear, you are implying that there is a non-trivial possibility that Microsoft may leak usable details about security vulnerabilities before they release patches.

I'm not going to contradict you, but that's a strong statement to be making. True or not, if I worked for Microsoft I would find it highly insulting. (I don't, by the way.)

In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.

It may be his decision, but it affects many people. Any second guessing and debate now may influence future decisions by those participating. Thus, your statement that this debate is wrong is baseless. It may come to nothing, or it may bear fruit.

Re:Bullshit

[bloodhawk]

windows XP has already been discontinued, it is in support mode only. Extended support ends April 8 2014.

Re:Bullshit

[10101001+10101001]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

Wrong, wrong wrong. Trident is the component that renders HTML content (like HTML help) and that's as integrated into the system as KHTML is to KDE, and WebKit is to Mac OS X.

You do realize when I say "critical part of Windows", I mean in the "and if we remove it now, people might actually stop using our platform", right? IE was pushed as a central place to do all sorts of things and, with the magic of ActiveX (aka COM objects) and protocol handlers, do it relatively easily. Intranet sites heavily exploited that fact and several companies are now hooked on IE6; it was also their goal to have many "Trusted" internet web sites to heavily use ActiveX and be Whitelisted for lock-in there too, but that didn't work out that well except in South Korea. That was very much the reason MS created the whole Zone feature in IE as well as why they're still quite unwilling to give up on the idea.

I'm so sick of hearing bullshit like that spouted all over the place.

Yea, well, go complain somewhere else where someone is actually making the argument you're trying to refute.

Re:Bullshit

How about you upgrade? It's your own god damn fault for using an obsolete OS prone to exploits.

Re:Bullshit

[rainer_d]

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

And the guy who released the 0day is responsible for that, too?

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

That's what they get for releasing too many almost-identical versions of Windows (and for not having a single version of Windows with all the languages as add-ons).
What comes around, goes around.

Re:Bullshit

[rtfa-troll]

To be perfectly clear, you are implying that there is a non-trivial possibility that Microsoft may leak usable details about security vulnerabilities before they release patches.

I am not implying "Microsoft may leak" I am implying "the details may leak from Microsoft or from the process of communicating to them, or even from the computer I use to send to them". Given that, the rest of your statement, which in the best case would be beside the point, becomes irrelevant. Microsoft is not a military organisation; they do not have faraday cages around their offices, they cannot do full security clearance for all employees. Even if their security process is much better than the rest of the company, even if it were better than all of their competitors it is still run by humans and subject to a "non trivial" risk of a leak.

It may be his decision, but it affects many people. Any second guessing and debate now may influence future decisions by those participating. Thus, your statement that this debate is wrong is baseless. It may come to nothing, or it may bear fruit.

Currently the attempt to "influence" those involved in the debate is the attempt to intimidate the security researchers. Ormandy never claimed to represent Google and yet MS's supporters have loudly brought Google into the debate. Clearly a future security researcher should use a pseudonym and make sure that it is not associated with his own work. That has unfortunate consequences for our ability to contact the researcher. Debate good. Intimidation bad.

Re:Bullshit

[therealkevinkretz]

People are running on software that's "two versions behind current" and which is "a decade old" for a few reasons. They have a decade of dependency on it. They're wary of Microsoft's "upgrades" (and you've got quite a set for including Vista in that 'two versions behind current' while Microsoft is busy trying to make it look like Vista never existed, buried in the same box as Millennium). As pointed out elsewhere, it's not a stubborn minority refusing to give up XP that Microsoft is being asked to spend a disproportionate time serving. It's the majority of their customers who have purchased a flawed product that it's Microsoft's responsibility to fix. And XP isn't end-of-life'd because it's become useless and obsolete; it's EOL'd because Microsoft wants to sell everyone a new OS.

Re:Bullshit

[logjon]

And it would have been perfectly reasonable, if he was really concerned about it being done in a 60 day time span, to release it after 60 days.

Re:Bullshit

I'm glad that's wrong. I hadn't realized I could use Chrome or Firefox to view the Windows help system....

Re:Bullshit

[commodore64_love]

As I said in last week's Googe/XP story (which slashdot's search engine can't find for some reason), I have no tears for Microsoft. I've hated them since the 1980s. And not just because I go-round hating inanimate objects but because they have produced inferior products that were 5-10 years behind superior products from Atari, Commodore, and Apple. They've also done everything short of murder to eliminate competition (block them from running in Windows 3/4)(or sue them in court until they were bnakrupted). "Embrace a standard, Extend the standard with MS proprietary features, and then Extinguish our partners" has been their motto since 1990.

In recent years Microsoft has produced some quality products..... XP (NT 5.x) and Seven (NT 6.1)..... so I'll give them credit for improving but they still have a long way to go. Anything that hurts Microsoft and helps restore competition to the computer marketplace is a positive in my book.

Re:Bullshit

[arose]

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

Poor Microsoft, fixing their own fuckups eating into their bottom line, it's not like people pay through the nose for Windows or anything.

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

If you prefer to be fucked over by targeted attacks using unknown exploits that you can't guard against, be my guest. I prefer to be aware of the threats and mitigate when possible.

Re:Bullshit

[poetmatt]

so keeping it secret keeps it safer how exactly? when both the malware developers already know about it and are exploiting it?

Does it make you feel safer?

It sure doesn't give you any real safety.

Before this was disclosed, it may have been well known and exploited already. So how is this any different?

Re:Bullshit

[poetmatt]

yes, but this implies that he created the exploit - just because he found it belies the fact that he wasn't the only one to know of it. The fact that he told MS before releasing anything means, that well, MS's team knew about it. They could have asked him not release it, and guess what? He probably wouldn't have. Clearly though a large quantity of people are more interested in distributing blame because it's google as opposed to because it's microsoft, which is amazingly backwards.

whoopty do.

Re:Bullshit

[arose]

If exploit in the wild

It is usually a good idea to assume that it is, and is used for targeted attacks by skilled blackhats trying to stay under the radar.

Re:Bullshit

yes, lets blame the first guy who finds the exploit and comes forward with it.

I think that's what you meant. Because let's face it, if I was sitting on a zero-day, I wouldn't tell microsoft anything at all. I'd milk that sucker for all it's worth. There could be a host of people out there whose party has been crashed by Tavis.

Re:Bullshit

[arose]

This isn't one problem in a 30 year old OS, it's one of hundreds of problems in a widely used ten year old OS, why should customers pay Microsoft for Microsoft's mistakes?

Re:Bullshit

[arose]

He didn't decide to create patch Tuesday, Microsoft created this problem for themselves. Microsoft needs to put procedures in place to deal with problems around patch Tuesday, because Blackhats don't give shit and exploit you at their convenience.

Re:Bullshit

XP was released 10 years ago and people upgrade their computers much more frequently than they buy new cars.

Obviously not frequent enough, if 60% of the OS market is still Windows XP.

If a 30 year old car had 60% of the market, hell yes they would fix the safety issue, not expect 60% of the market to drop everything and buy a new and expensive product to deal with the manufacturer's problem.

Re:Bullshit

[bigrockpeltr]

If the OS is irrelevant, then publishing its bugs is also irrelevant. If the OS is not irrelevant, then your comment is irrelevant.

mod parent up!! exactly if the OS is irrelevant then who cares if they are bugs/exploits that can affect it. analogy: the toaster makers think that their previous gen world wide most selling toaster is outdated. the OS for the toaster is irrelevant. therefore no one cares if there are exploits available to burn your toast to a charred brick.

Re:Bullshit

[JazzLad]

Unless the preponderance of people still drove 30 year old cars. Then we would demand the issue be corrected. Besides, I thought Windows 2000 came out 10 years ago & that XP was late 2001/2002 but like you I'm too lazy to check.

Re:Bullshit

god your fucking stupid.
You ever actually worked on a proper OS? not that kiddies playtoy called linux.
There is such a thing as ensuring new code changes dont introduce new bugs.
maybe you dumbass linux hippies could learn that one day.

Fucking dumbass kids.

Re:Bullshit

[Patch86]

Let us not forget the fact, incidentally, that MS still sells XP. You can still buy brand new computers (netbooks and nettops, for example) with XP on. Even if they faze it our right now, there will still be customers who have owned brand new XP-based PCs for mere months.

Let us also not forget that we are still firmly within MS's support period for XP. 60% of desktop users still have a cast iron promise from MS that XP will be supported until, what is it, 2014?

So "should have upgraded, morons!" does look somewhat ridiculous.

Re:Bullshit

[endymion.nz]

With a teensy bit of regular maintenance you could save yourself a lot of money. And you might learn something.

Re:Bullshit

[dhavleak]

but this implies that he created the exploit

He did. See his own post on seclists. In his own words "I've prepared a demonstration for a typical Windows XP installation with Internet Explorer 8, and the default Windows Media Player 9."
.

The fact that he told MS before releasing anything means, that well, MS's team knew about it

Before releasing anything? 5 minutes before? 5 days before? 5 weeks before? It makes a difference, y'know. In this case it was 5 days, including Saturday (day 1) and Sunday.
.

They could have asked him not release it, and guess what? He probably wouldn't have.

They did, and guess what? He released it anyway. Besides, they shouldn't have to ask -- he should have followed responsible disclosure guidelines. The guidelines are not fluff -- imagine if Dan Kaminsky had not followed responsible disclosure for the DNS issues? Would you be defending that action? If yes, then you are out of your mind. If not, then why is this issue special/different so that it is exempt from responsible disclosure?
.

Another nugget from Ormandy:

I would like to point out that if I had reported the MPC::HexToNum() issue without a working exploit, I would have been ignored.

He has not explained why he went public. A working exploit is a good thing -- it absolutely does sway a vendor to take your issue more seriously. Releasing the working exploit publicly is the problem here. If he followed responsible disclosure guidelines, gave MS a working exploit, and got ignored, then he could take matters into his own hands and he'd have a semblance of a point. To alert them on Saturday and go public on Wednesday is attention-whoring bordering on malice.
.

Clearly though a large quantity of people are more interested in distributing blame because it's google as opposed to because it's microsoft, which is amazingly backwards.

Google does have something to answer for here. Everytime one of their employees fucks up, they cannot claim things like, "he did it in his own time", or "it was a summer intern and we didn't realize the code went live". They cannot be such vocal advocates of responsible disclosure, and have their own security researcher not follow the same guidelines that they themselves call for. They cannot claim that he acted independantly (used his own time/resources) when Ormandy, in his own post, states "Without access to extremely smart colleagues, I would likely have given up". Either his colleagues helped him with the exploit, or they helped guide his decision to not follow responsible disclosure guidelines (which his employer is in favor of). He very kindly and hypocritically goes on to provide some half-baked opinion on responsible disclosure/full-disclosure and a link to a Schneier article on the topic.

Re:Bullshit

[dhavleak]

If exploit in the wild

It is usually a good idea to assume that it is, and is used for targeted attacks by skilled blackhats trying to stay under the radar.

1) The nature of this vulnerability is such that you cannot use it for a targeted attack. You can put the exploit on as many sites as you can, and try to lure traffic there, and accept whatever percentage of machines get compromised -- but you cannot use it for a targeted attack.
.
2) If you have data for other vulnerabilities definitively telling you that there are exploits in the wild for them, they get prioritized higher. Next -- if you have two vulns, and the complexity of the exploit is orders of magnitues apart, the assumption is more true for the easier exploit than it is for the one that is orders of magnitude tougher. In other words, the idea itself is fine and dandy -- assume that all vulnerabilities will be, and are being exploited, and fix everything instantly. In the real world, fixing everything instantly (or in the time between Saturday and Wednesday) is *slightly impractical*.

Re:Bullshit

[gd2shoe]

I am not implying "Microsoft may leak" I am implying "the details may leak from Microsoft or from the process of communicating to them, or even from the computer I use to send to them".

So... You're assuming that serious security researchers use insecure means of communication* and have spyware infested computers? Once you throw out the ridiculous, you end up contradicting yourself.

Seeing that Microsoft security problems are ubiquitous, have you heard any claims that they have leaked security problems prior to the patch before? (It wouldn't surprise me, but I don't think non-trivial means what you think it means.)

*(Email isn't always secure, but it can be if both SMTP servers support TLS. If it leaks from a breach of the Microsoft server, then it's just an example of Microsoft leaking info. If an employee is dirty, then it's an example of Microsoft leaking.)

Debate good. Intimidation bad.

Granted.

Re:Bullshit

[10101001+10101001]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

How is using HTML for documentation "shoehorning" ? A help system is pretty much a textbook example of where hyperlinking is a good idea.

The Windows help system does more than "document". It also provides a mechanism to troubleshoot problems, which includes the loading of external dlls/programs. If all the help system and hcp were was a documentation system using HTML, then there'd be no real need to worry per se about HTML pages being displayed through the protocol. The problem is, hcp does more than that and that's the fundamental problem.

In short, I never said HTML was the problem. IE and HTML aren't equivalent. Admittedly blaming IE is partially improper since the document handler existing is the fundamental issue. But, then, IE (and Firefox and Opera) should block access to such handlers because there's no good reason to treat some HTML with more privilege than other HTML in a web browser; all HTML and objects in a web browser should be sandboxed from authority to automatically change the system or harassing a user into changing the system. If such special privilege HTML should exist, it should be restricted to a separate program to avoid these sorts of attacks. Of course, had MS done that, the web probably would have been a lot less polluted with MS-specific HTML as it was the large push in intranet sites that convinced so many HTML developers to use IE rather exclusively.

Re:Bullshit

[Eskarel]

I didn't say it was irrelevant or that Microsoft shouldn't fix it. I said that fixing XP should be a lower priority than fixing an equivalent bug in a more modern version of Windows.

XP is an incredibly old OS, and its design is fundamentally flawed when it comes to security. It has never been and will never be secure. I know Microsoft still sells it(though that'll be done in the next couple months), but that doesn't mean that anyone sane should be buying it. Vista was a bit of a dog, but Windows 7 isn't.

As for a week, a company as large as Microsoft takes a week to do anything whatsoever, and isn't going to commit to any kind of deadline until it's had a chance to look at it. They didn't say they wouldn't fix it, they didn't even say they wouldn't fix it within 60 days, they said they wouldn't commit to 60 days until they'd had a chance to investigate it. No software company(or any other company) with support commitments would do it any differently.

5 days makes him a dickhead, I don't care who he did it to, or what they've done in the past. No one fixes a bug in 5 days, and people do use windows help, some of them even use the remote assist feature.

Re:Bullshit

[Eskarel]

You're right, XP did come out in 2001, which is not quite a decade(though close enough). The bigger problem isn't so much the age of release, but the age of the design.

Whether people believe it or not, Microsoft seems to be starting to get a clue and has come an awful long way from where they were in the late 90's when XP was being designed. A lot of the really stupid things they did which made XP as insecure as it was, aren't part of the design of the Vista/7 line of Operating Systems.

Re:Bullshit

[Daengbo]

I'm going to kind-of defend the guy, but keep in mind that I don't really know what happened any more than you do.

He contacted MS and asked them to commit to a 60-day timeline, which MS refused to do as always. Despite requiring "responsible disclosure" in order for any credit to go to the security professional, MS never agrees to an important part of the real responsible disclosure: a timeline for a fix. Instead, on several occasions, they've waited for six months or even years, baiting the reporter with "we're working on it." Finally, the white hat gives up on MS, discloses the vuln, and is creamed by MS and in the press. A patch is almost always released quickly and is claimed to have been "in testing" for some time.

Since this appears to be Microsoft's method of dealing with its version of "responsible disclosure," I can see getting stonewalled and saying "Screw it! MS won't deal with me and I'm going to get flamed anyway in sixty days when I release the details."

Just my opinion of how it may have worked out.

Re:Bullshit

[Daengbo]

From the first line of your link to responsible disclosure:

Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.

MS will never agree to a timeline. It's against their policy. They have repeatedly sat on reports for months and years while doing nothing, finally blaming the professional when he gives up and goes public. How can anyone enter into responsible disclosure with them when they won't meet half way?

Re:Bullshit

[Daengbo]

How did China hack Google? It started with targeted social engineering, getting an employee to follow a link which exploited IE6. It escalated from there. Sure, it can be targeted.

Re:Bullshit

[Daengbo]

It's still a supported product. They can't really ignore security problems until it's unsupported. They decide the timeline for that support.

Re:Bullshit

[dhavleak]

How did China hack Google? It started with targeted social engineering, getting an employee to follow a link which exploited IE6. It escalated from there. Sure, it can be targeted.

*rolls eyes*

Whatever makes you happy. Call it a targeted attack then. You still haven't addressed the main point.

Re:Bullshit

[Daengbo]

I don't know if you realize that I'm not the guy you initially responded to so I'm not required to address your main point since that's not one I wanted to discuss. I just wanted to help you out a little by pointing out something you didn't seem to know. *blink*

Re:Bullshit

[Anpheus]

IE, or rather, the HTML rendering component and modules, was pushed to a central place, just like it's been pushed to a central place in every other major OS, distribution, and UI framework right now.

Sounds like Microsoft was just ahead of the curve?

Re:Bullshit

[arose]

The nature of this vulnerability is such that you cannot use it for a targeted attack. You can put the exploit on as many sites as you can, and try to lure traffic there, and accept whatever percentage of machines get compromised -- but you cannot use it for a targeted attack.

Have you completely missed the whole family of "phishing" attacks, spearphishing in particular? Pure social engineering specifically targeted at sysadmins has been successful. An actual exploit targeting less security aware users is likely to succeed.

In the real world, fixing everything instantly (or in the time between Saturday and Wednesday) is *slightly impractical*.

Working with people trying to practice responsible disclosure and addressing their concerns, however, is *common sense*.

Re:Bullshit

[rtfa-troll]

I am not implying "Microsoft may leak" I am implying "the details may leak from Microsoft or from the process of communicating to them, or even from the computer I use to send to them".

So... You're assuming that serious security researchers use insecure means of communication* and have spyware infested computers? Once you throw out the ridiculous, you end up contradicting yourself.

What part of

Microsoft is not a military organisation; they do not have faraday cages around their offices,

Are you unable to read??? Actually, to be honest I probably am assuming too much. You should look up tempest attacks and assume that they are in use in high level industrial espionage and basic national spying of the type that MS security team is likely to be subject to. That's likely to be rare. On the other insertion of a spy into a commercial organisation or bribing an employee for information is easy and common.

have you heard

I've seen enough strange stuff to know I would likely not hear of this. Notice that during the google incident tens of US companies were hacked, but only one chose to mention that it happened. Assume that 90% of security stuff you never hear of and that for professional targeted attacks that rises to 99%.

Re:Bullshit

[gd2shoe]

What part of "Microsoft is not a military organisation; they do not have faraday cages around their offices," Are you unable to read???

I don't think non-trivial means what you think it means.

Re:Bullshit

[rtfa-troll]

What part of "Microsoft is not a military organisation; they do not have faraday cages around their offices," Are you unable to read???

I don't think non-trivial means what you think it means.

"When I use a word it means just what I choose it to mean -- neither more nor less."

The Microsoft security process is the key to Windows. Windows is the key to 99% of enterprises world wide. If I were running government level industrial espionage (as the US accuses China) and did not have significant information about that process I would want a very detailed explanation why from my intelligence group. I think this would be non-easy. I think that probably the core of the process might not be directly penetrated, but I'm sure that at least some of the people who regularly work near the security group (the cleaner???) are in some way acting as agents of "foreign powers". I'm sure that significant information does leak at least occasionally.

Re:Bullshit

[BikeHelmet]

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

->

Windows' Help and Support Center

I have a few things to say. First, while this is part of Windows's core, it is not a "core component". Pushing out a fix is quite a bit more minor than fixing up a kernel exploit or some other flaw. Very little (perhaps nothing) depends on this service - and most PCs already have it disabled, with no ill effects.

A few things were settled in the last Slashdot thread:
1) This guy doesn't represent Google.
2) This guy has waited for years for Microsoft to fix other critical vulnerabilities. (this also means he has experience measuring bullshit responses)
3) This guy picked a mostly benign exploit to make his point.

Microsoft has a history of poor patch times. I recall some IE6 exploits going unpatched for 500+ days. If you don't think that's okay, then you need to reexamine what you think this guy is doing. I'll give you a hint - he's making a point, which will ultimately help far more than it hurts.

Re:Bullshit

[dhavleak]

Working with people trying to practice responsible disclosure and addressing their concerns, however, is *common sense*

Are you claiming that Ormandy was trying to practice responsible disclosure (saturday through wednesday!!)? Or are you claiming that MS refused to work with him (do you have some inside line on the email exchange that took place)? What exactly are you claiming here???

Re:Bullshit

Silent, I cannot hear you.

Re:Bullshit

[arose]

That is what he is claiming, and until the other party tells their side, or there is proof otherwise, an involved party is about the best way to get information on things.

Do you have proof that contradicts his account?/p

Re:Bullshit

[dhavleak]

That is what he is claiming

100% incorrect:
From Ormandy's own post:
"Microsoft was informed about this vulnerability on 5-Jun-2010, and they confirmed receipt of my report on the same day."
Followed by:
"I would like to point out that if I had reported the MPC::HexToNum() issue without a working exploit, I would have been ignored."
That was the sum total of his justification for his behaviour. This is *his own* post. Now, he too is having second thoughts about what he did: http://twitter.com/taviso/statuses/15874332662/
.

Do you have proof that contradicts his account?

I hope you'll accept his own post on seclists, and his own twitter post as proof. At this point, you need to just admit that you're wrong to defend him, and he was irresponsible.

Re:Bullshit

[poetmatt]

let me try this very very simply. It honestly amazes me you don't get it yet.

he disclosed the exploit, but this doesn't mean that a: he created it or b: he's responsible for it. In that sense, who created it? Microsoft. It's also a hell of a lot easier to figure out an exploit when there is a proof of concept. I could claim that xgui is an exploit, but it's kinda hard to show proof without a proof of concept, as the name implies. These kinds of things are very regular.

Yes, 5 days is a little short, but if this was critical MS could have said to him "please don't release it". Simple as that. However, does any of that matter? no.

What does matter beyond you being sidetracked? That I still don't hear of a hotfix or patch from MS.. Somehow point fingers at google all day, but you can't see the forest for the trees.

Do you get the difference?

Re:Bullshit

[dhavleak]

let me try this very very simply. It honestly amazes me you don't get it yet. he disclosed the exploit, but this doesn't mean that a: he created it or b: he's responsible for it.

You haven't done due diligence then. He took credit for the exploit in his post on seclists, which I already linked to.
.

who created it? Microsoft

Microsoft was responsible for the vulnerability. Not the exploit.
.

It's also a hell of a lot easier to figure out an exploit when there is a proof of concept

You appear to be confusing terms here. Do you mean to say that it's easier to understand a vulnerability when there is an exploit for it? The exploit *is* the proof of concept. In anycase, that argument is incorrect as well. The exploit proves that the vulnerability is exploitable. That's the proof-of-concept -- it proves that it's exploitable. It helps assign priority as well -- if you prove that it's exploitable, the priority on fixing it goes up -- so creating the exploit is a Good Thing. That is not being debated (to quote you, It honestly amazes me you don't get it yet). The point is, Ormandy should not have made the exploit public. He should provide it to MS. If after some time it appears they are doing nothing, then, if he decided to force their hand, he might have had a point. How much time -- I don't know exactly. Was 5 days (including saturday and sunday) enough? Not even close.
.

Yes, 5 days is a little short, but if this was critical MS could have said to him "please don't release it".

That's the second time you're making this stupid statement -- and the second time I'll remind you that responsible disclosure is the norm. MS should not have to ask him, and you don't even know that they didn't. He never even gave them a chance -- read his seclists posting. Educate yourself before mouthing off. He (Ormandy) himself has a twitter post now stating that perhaps he didn't do the right thing -- but here you are defending his actions anyway. At least he's man enough to admit when he's wrong.
.

What does matter beyond you being sidetracked? That I still don't hear of a hotfix or patch from MS.

No hotfix, because it simply can't be done this quickly. You just agreed that 5 days is a little short, but here you are 12 days on criticizing the lack of a hotfix? What information do you have that makes you think 12 days is a reasonable timeframe? I would really love to hear your timeline/work-item-breakdown for making a hotfix available in 12 days.
.

Somehow point fingers at google all day, but you can't see the forest for the trees.

Actually I don't know why you're so determined to keep bringing Google into the picture. You'll notice that I didn't mention them unti you did. I merely pointed out that something isn't adding up (about Ormandy acting alone, but using input from colleagues). I'm happy to drop that angle and just argue that making the disclosure public in 5 days was irresponsible. You are the one that keeps bringing Google back into it.
.

Do you get the difference?

Between what and what??

Re:Bullshit

[dhavleak]

So 5 days (starting saturday) is a reasonable timeline then? If Ormandy had used any kind of realistic timeline, this wouldn't even have been news. At 5 days, he was completely unreasonable/irresponsible/attention-whoring, bordering on malice.

Re:Bullshit

Supposedly, his proposed timeline was 60 days, which MS rejected out of hand (since they never agree to ANY timeline -- see above). When they refused, he published. Maybe he was a jerk, but MS was at least as much of one.

Re:Bullshit

[dhavleak]

Supposedly, his proposed timeline was 60 days, which MS rejected out of hand (since they never agree to ANY timeline -- see above). When they refused, he published. Maybe he was a jerk, but MS was at least as much of one.

If he wants to take matters into his own hands and enforce a 60-day timeline, he can tell MS "I'm giving you 60 days" and disclose after 60 days. To go public after 5 days is a dick move.

Killing the messenger is always easy

Of course, instead of trying to blame the guy who published the vulnerability, clueless bloggers could just look at the people who actually created it, and ask them "so why, exactly, do you only release patches once a month?".

It's frickin' obvious: Microsoft created the code, Microsoft provided the infrastructure, Microsoft is aware of it, Microsoft has the ability to create a patch, Microsoft has the resources to provide the patch.
This is a Microsoft issue start to finish, and blaming the messenger for Microsoft's incompetence and unwillingness to deal with vulnerabilities with the speed they require only shows that the bloggers in question are either a) lacking common sense, or b) Microsoft shills.

I got hit with this exploit yesterday

[js3]

I don't remember exactly which site but while looking up some coding related issues for vs2010 port all of a sudden norton antivirus starts freaking out about malicious programs, then the UAC kicked in constantlhy asking to run cmd.exe prompting me to reboot. MSHTA.exe was hit with some trojan that tries to root the system. I got lucky with win7 64 and norton av, but yea it's weird a source code site would launch this nonsense.

Re:I got hit with this exploit yesterday

[ashridah]

I wouldn't have been surprised if it was actually one of the ad servers the site uses.

Re:I got hit with this exploit yesterday

[vlueboy]

If the antivirus reported suspicious activity that wasn't stopped, then UAC alone saved you. It is not the first time that the AV fails to "detect" malicious use of scripts, since it has no AI; just authenticating to allow UAC to run the command would have been enough to start the true system-rooting process which may or may not be blocked by the AV depending on what executables are chained to cmd.exe's work.

He sounds like kinda a dick

From the sec mailing list:

Susan, this is what is called "full disclosure", and my response was
relevant.

I will not answer anymore uninformed questions on this topic.

Thanks, Tavis.

On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote:

        I'm not asking about disclosure. I'm asking what happened to the level
        of communication between you and MSRC that after 4 days you posted this?

        Tavis Ormandy wrote:

                Susan, I wish I had the time to hold your hand through getting up to
                speed on the disclosure debate. Instead, I would suggest starting with
                the links in my advisory which were intended to give you enough
                background to understand the issues involved (skip to the Notes section,
                if you like).

                As I cannot hope to speak as eloquently on the topic as Bruce, I will
                not attempt to repeat them for you here.

                If after researching the topic you still have questions, please let me
                know.

                Thanks, Tavis.

Why do people still use xp?

[shoehornjob]

The damn thing will be 9 years old this august. It has more holes in it than swiss cheese. It came with IE6 which most would agree is the most compromised browser of all time. Why are people still using this thing? I work in a call center and about 85-90% of people I deal with are still using windows XP. Fortunately there seem to be far fewer people using IE6. Considering the amount of trouble they get themselves into (drive by attacks "it said click here so I did. why doesn't my computer work?)it doesn't really matter what browser they use anyway. The problem here is a lack of basic computer literacy. In my experience the general public has this plug and play attitude to computing because they are not forced to learn anything. It makes everything support has to do for a customer that much harder. I don't care if you were stupid enough to click on this popup because it said you have 800 viruses on your computer. Best buy must be making a killing off these people.

Re:Why do people still use xp?

[Jedi+Alec]

Because short of the occasional driver update or patch it's been running on my pc smooth and stable for years?

Yes, 7 looks spiffy. I just can't be bothered to invest both time and money fixing something that to me is not broken.

Use a proper browser instead of IE and a hardware router that is properly configured to keep the majority of the naughty people out and there's very little you need to worry about...

Re:Why do people still use xp?

[Tim+C]

Well for my part, it's because:

1) My personal laptop is 5 years old and despite being a bit battered is perfectly serviceable for the use to which I put it (email, MSN and surfing) but not up to the job of running Windows 7; and
2) My PC at work doesn't belong to me so I'm not in a position to upgrade it (or really to demand an upgrade; they are slowly pushing out Windows 7 though)

My personal desktop I upgraded about 9 months ago; that *is* running Windows 7.

Re:This is classic Tavis.

[KingMotley]

I do believe this proves otherwise. What was a previously unknown bug, not being exploited has now turned into machines getting exploited, and it took what? Less than a day? Full disclosure is irresponsible.

What's the rush?

[symbolset]

It's not like there aren't thousands of security flaws being exploited in the wild. What's one more, against the convenience of orderly patching?

Re:What's the rush?

[QuantumG]

That's the *reason* why there's so many flaws in the wild being exploited.. because Microsoft is completely uninterested in stopping it.

Re:What's the rush?

[symbolset]

Well can you blame them? For every one they patch dozens more spring up. It must seem like a hopeless task. Can you imagine the global freakout that would transpire if by some miracle they patched 10,000 bugs on one patch Tuesday, pushing what's essentially a reinstall .iso through Windows update? People would be leaping from windows. The Internet would melt. I'm sure you don't want them to go back to pushing patches every day either.

They'll patch a few once a month just to give the Windows admins something to do, and then after a couple years come out with a new version "Now with enhanced security!" and then we'll repeat the cycle. Again. Don't worry - be happy. It has always been this way. It will always be this way.

Re:What's the rush?

[Xeleema]

Can you imagine the global freakout that would transpire if by some miracle they patched 10,000 bugs on one patch Tuesday, pushing what's essentially a reinstall .iso through Windows update? People would be leaping from windows.

Opening Scene: Outside, Dick has finished scaling the outside of a 10 story building. Down below, a few UNIX guys from I.T. are having a smoke and watching intently...

Tom(to Harry): "Holy crap, is that Dick up on the roof??"

Dick(jumps): "Aaaaaiiiiiiiiieieeeeeeeeee!!!!!!!" *SPLAT*

Harry(to Tom): "Yep. Sure was. You know what this means, right Tom?"

Tom(to Harry): "We can FINALLY reload that Exchange cluster!!!"

Harry(to Tom): "Yep." (Stomps out cigarette butt, which leaves a similar shape in the parking lot asphalt as the previous Windows Administrator)

Close Scene: Fade to black, display "I'm a PC, and Windows 7 was my idea" slogan.

Mitigation?

[Derek+Pomery]

My understanding is that Firefox disables hcp:// by default:
network.protocol-handler.external.hcp = false

And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?

Re:This is classic Tavis.

[Sir_Lewk]

You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.

Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.

Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.

I know how you feel (diff. issue, but MS)

Per my subject-line above: This was an ongoing conversation w/ a poster here who is a senior mgt. figure @ Microsoft, in their "Windows Client Performance Division".

I figured HE would be EXACTLY the guy to talk to about this, directly in fact, because of the division he heads @ Microsoft!

(QUICK SUMMARY: It is a hosts file format issue that affects performance of its loads/read & reloads/rereads in MS' "latest/greatest" OS' in VISTA (since 12/09/2008, it wasn't that way before that, & neither are Windows 2000/XP/Server 2003), Windows Server 2008, & Windows 7))

So, based on your experience, which I read here twice from you (indicating you feel QUITE STRONGLY about it, as I do on this one)?

Well - I think YOU, of all people, WILL appreciate it, but moreso because of YOUR experiences with them, in your trying to actually HELP them? You will also understand it too, so, here goes:

"Be patient :) Ill get to this. I just dont know when. I think I can get back to you by mid February, but it may be March." - by Foredecker (161844) * on Saturday April 24, @01:42PM (#31968126) Homepage

That quote of Foredecker's words is from here -> http://slashdot.org/comments.pl?sid=1495166&cid=30715150 back in January (10th of Jan 2010)...

It is again, in regards to HOSTS files in VISTA, Windows Server 2008, & Windows 7 being unable to use the smaller & faster + more efficient "0" blocking "IP Address" (vs. the larger, slower, & less efficient on filesize & read/write time 0.0.0.0 (or, worse yet, 127.0.0.1 "loopback adapter IP address") which are STILL useable in Windows VISTA, Windows Server 2008, & Windows 7!).

However, before MS "Patch Tuesday" on 12/09/2008 though?

Well - You could STILL USE THE SMALLER & FASTER 0 blocking address in HOSTS files, vs. the larger & slower + less efficient 0.0.0.0 or worse still, the 127.0.0.1 loopback adapter address in Windows VISTA, Windows Server 2008, & Windows 7 (for blocking out KNOWN BAD sites &/or servers)...

Using 0 yields increases in speed + efficiency & due to FAR LESS FILESIZE involved for reads inside the file and reading the HOSTS file as a whole (smaller = faster), especially!

----

E.G.->

HOSTS using 0, with 840,000 blocked KNOWN BAD sites &/or servers entries in it blocked = 18,430 kb size

vs.

HOSTS using 0.0.0.0, with 840,000 blocked KNOWN BAD sites &/or servers entries in it blocked = 23,338 kb size

vs.

HOSTS using 127.0.0.1, with 840,000 blocked KNOWN BAD sites &/or servers entries in it blocked = 24,975 kb size

----

As you can see?

This results in a 25%-35% approximate filesize diff.'s, in using smaller vs. larger preceeding blocking addresses in front of bad sites/servers domain-hosts names manifest themselves ("do the math" etc.)

Thus? Using 0 as a blocking address indeed DOES MAKE A DIFFERENCE here, for performance sake!

(Hopefully enough to find out WHY the IP Stack Team has taken out the fastest & smallest + most efficient entry of 0 for blocking in HOSTS files... makes NO sense that they did, because of the evidences above!)

Funniest part is, the Windows 2000, Windows Server 2003, & Windows XP still can use the smaller, faster, & most efficient 0 blocking address (vs. the larger/slower 0.0.0.0 & worst of all, 127.0.0.1)...

Funnier still?

Well, MS inserted the ability to use 0 as a blocking IP address back as far as Windows 2000 (not its original OEM pre-service pack/hotfix release, but, somewhere in between SP#1 - SP#4 for Windows 2000... this is a BETTER STANDARD, one that MS set no less, because it yields a smaller & faster read HOSTS file, period!)

ANYHOW/ANYWAYS: The physics of it all back me on this, & so does the math.

Especially when populating either the D

Re:I know how you feel (diff. issue, but MS)

After reading several parts of that, I'm not surprised that he won't return your emails anymore.
Sorry about the sarcasm, it was UNAVOIDABLE.

Re:I know how you feel (diff. issue, but MS)

[Your.Master]

Your five megabytes of HOSTS file is probably irrelevant compared to real performance problems. That's not what a HOSTS file is meant for, and you should generally not optimize for the abusive case. Ideally you'd just use your application's native method for dealing with address-blocking, and if you need a blanket block such a huge number of addresses then a local proxy is the way to go, eg. Privoxy.

Micro-optimization is the root of all evil. The way to tune performance is to measure where the biggest problem is, and then reduce that. You do not hone in on a few bytes from a file format. For instance, look at http://en.wikipedia.org/wiki/Amdahl's_law. It's not worth putting even ten minutes of time into something that makes no noticeable difference to just about anybody, when you could spend that time working on a problem that will make a noticeable difference to some people. Therefore, the "math" does not yet support you; at least not given the evidence provided. You have to show that a reasonable HOSTS file used as recommended (or as there is no more reasonable alternative) makes a more significant difference to some important aspect of performance than any other change that could be made as easily.

Now, if you look at the Standard for IPv4 addressing, http://www.ietf.org/rfc/rfc1123.txt, you will see that dotted-decimal notation is required for Standards-compliant IPv4 applications (you can add further restrictions but not relieve restrictions), and if you look at http://tools.ietf.org/html/rfc952, the HOSTS file is required to have all four components. IPv6 does have a summary version in the standard, but I'm sure you won't like what IPv6 does to the size of the average HOSTS file (that is to say, marginally increase it). It's bad to break Web Standards without a really excellent reason. It had better be security, or a performance gain so bountiful and universal that none could fault it, such as when browsers started going to 6 connections per web server rather than 2.

Re:I know how you feel (diff. issue, but MS)

[Kalriath]

Please don't encourage APK. He posts his hosts file bullshit in every Windows thread in existence.

Re:I know how you feel (diff. issue, but MS)

Very poor performance Your Master because your big mouth got you burnt to a crisp in his reply here http://it.slashdot.org/comments.pl?sid=1687452&threshold=-1&commentsort=0&mode=thread&pid=32587158

Re:The bad guys thank you Tavis.

I used to work in the team that manages patches on Windows.

It is impossible for Microsoft to release a broad security fix in 5 days. Even if it immediately moved to a developer from the security people the first minute, the process for getting from identifying the correct fix, searching for and fixing related and similar bugs in code literally 0 people have looked at in _years_, doing a full build (this is an overnight process), sending it through a full test pass (which takes DAYS across all languages) to avoid regressions, and then the work to put it on Windows Update. That has its own pain points involving writing all the logic so the fix goes to the affected machines, but not all machines. The goal is a 0% false positive rate and a 0% error rate. And if anything goes wrong in testing on any one of these steps, the whole process gets delayed for days. With patch Tuesdays what they are, this often means slipping to the next patch Tuesday. Just to add insult to injury, Microsoft's Indian subsidiary handles all Windows XP work today, which adds tremendous overhead in communications Switzerland -> Redmond -> Hyderabad -> Redmond -> Switzerland.

On top of that, when prioritizing fixing security bugs, what do you prioritize? Issues that are already being exploited in the wild, or ones that have never been exploited?

It's not unheard of for a security fix which is basically complete from a code-writing perspective to not be on Windows update for several weeks.

Seriously, 5 days is _nothing_.

6++ months now waiting on a "fix" here... apk

Per my subject-line above: This was an ongoing conversation w/ a poster here who is a senior mgt. figure @ Microsoft, in their "Windows Client Performance Division".

I figured HE would be EXACTLY the guy to talk to about this, directly in fact, because of the division he heads @ Microsoft!

(QUICK SUMMARY: It is a hosts file format issue that affects performance of its loads/read & reloads/rereads in MS' "latest/greatest" OS' in VISTA (since 12/09/2008, it wasn't that way before that, & neither are Windows 2000/XP/Server 2003), Windows Server 2008, & Windows 7))

So, based on your experience, which I read here twice from you (indicating you feel QUITE STRONGLY about it, as I do on this one)?

Well - I think YOU, of all people, WILL appreciate it, but moreso because of YOUR experiences with them, in your trying to actually HELP them? You will also understand it too, so, here goes (details):

"Be patient :) Ill get to this. I just dont know when. I think I can get back to you by mid February, but it may be March." - by Foredecker (161844) * on Saturday April 24, @01:42PM (#31968126) Homepage

That quote of Foredecker's words is from here -> http://slashdot.org/comments.pl?sid=1495166&cid=30715150 back in January (10th of Jan 2010)...

It is again, in regards to HOSTS files in VISTA, Windows Server 2008, & Windows 7 being unable to use the smaller & faster + more efficient "0" blocking "IP Address" (vs. the larger, slower, & less efficient on filesize & read/write time 0.0.0.0 (or, worse yet, 127.0.0.1 "loopback adapter IP address") which are STILL useable in Windows VISTA, Windows Server 2008, & Windows 7!).

However, before MS "Patch Tuesday" on 12/09/2008 though?

Well - You could STILL USE THE SMALLER & FASTER 0 blocking address in HOSTS files, vs. the larger & slower + less efficient 0.0.0.0 or worse still, the 127.0.0.1 loopback adapter address in Windows VISTA, Windows Server 2008, & Windows 7 (for blocking out KNOWN BAD sites &/or servers)...

Using 0 yields increases in speed + efficiency & due to FAR LESS FILESIZE involved for reads inside the file and reading the HOSTS file as a whole (smaller = faster), especially!

----

E.G.->

HOSTS using 0, with 840,000 blocked KNOWN BAD sites &/or servers entries in it blocked = 18,430 kb size

vs.

HOSTS using 0.0.0.0, with 840,000 blocked KNOWN BAD sites &/or servers entries in it blocked = 23,338 kb size

vs.

HOSTS using 127.0.0.1, with 840,000 blocked KNOWN BAD sites &/or servers entries in it blocked = 24,975 kb size

----

As you can see?

This results in a 25%-35% approximate filesize diff.'s, in using smaller vs. larger preceeding blocking addresses in front of bad sites/servers domain-hosts names manifest themselves ("do the math" etc.)

Thus? Using 0 as a blocking address indeed DOES MAKE A DIFFERENCE here, for performance sake!

(Hopefully enough to find out WHY the IP Stack Team has taken out the fastest & smallest + most efficient entry of 0 for blocking in HOSTS files... makes NO sense that they did, because of the evidences above!)

Funniest part is, the Windows 2000, Windows Server 2003, & Windows XP still can use the smaller, faster, & most efficient 0 blocking address (vs. the larger/slower 0.0.0.0 & worst of all, 127.0.0.1)...

Funnier still?

Well, MS inserted the ability to use 0 as a blocking IP address back as far as Windows 2000 (not its original OEM pre-service pack/hotfix release, but, somewhere in between SP#1 - SP#4 for Windows 2000... this is a BETTER STANDARD, one that MS set no less, because it yields a smaller & faster read HOSTS file, period!)

ANYHOW/ANYWAYS: The physics of it all back me on this, & so does the math.

Especially when popula

Re:The bad guys thank you Tavis.

[QuantGuy]

There are a lot of "go-to" commentators that the press goes to for supposed insights about security. Graham is one of them. He's a smart guy, but also one of the worst carnival-barkers in the industry; always chasing stories. Here are a few classics:

• On Bluetooth phone viruses, apparently the next big thing in malware (2004): "If you don't know about bluejacking these messages can be quite a shock" (2004)
• On the groundswell of Mac malware: "This means two real viruses have emerged for the Mac OS X platform in less than a week. The question on everyone's lips is - when will we see the next one, and will it have a more malicious payload?" (2006)
• On "naming and shaming" (his words) countries from whose IP address space spam appears to emanate: "A new dirty 'gang of four' - South Korea, Brazil, India and their ringleader USA - account for over 30% of all the spam relayed by hacked computers around the globe." (2010)

It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.

Re:The bad guys thank you Tavis.

[BitZtream]

truly ethical approach to take to protect the consumer;

So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?

That has to qualify as one of the most ignorant statements I've ever seen.

WTF is up with the math here?

[Arancaytar]

zero-day ... reveal the flaw only five days after reporting it to Microsoft.

Notice something?

Iressponsible juvenile jerk

I hope Ormandy gets the lawsuit he deserves from some poor innocent schmuck who gets burned. What a self-important creep!

Damning of Ormandy?

[ratboy666]

No, damning of Microsoft.

All that was asked of the vendor was to come up with a firm time-line for a fix. If that was NOT forthcoming, the only responsible action is FULL IMMEDIATE DISCLOSURE.

The idea of allowing a vendor some time for a patch is to attempt to contain damage. And this assumes that the vulnerability is not already found by someone else. If the vendor refuses to commit, then that strategy is fatally flawed. The only recourse is to publish, and give an opportunity for the services, OSs, whatever, to be taken down by responsible administrators.

Without a time-line, the actual impact cannot be assessed. And, given that Google has been burned by a defect recently, they should be expected to be quite sensitive to the impact of these defects.

To rephrase -- Microsoft played chicken, and lost.

Re:Damning of Ormandy?

[QuietObserver]

(Score:0, Troll)

I cannot see any justification for this; I see no attempt in these comments to troll anyone, merely to lay out a viable explanation to support Mr. Ormandy, finishing with a logical summary of the argument. I'm tempted to meta-mod in hopes of correcting this travesty (though having commented, I'm not likely to be given the opportunity). I see this kind of thing far too often. As several sigs point out, -1 disagree does not exist for a very good reason. Moderation is intended to punish those who are deliberately uncivil or abusive with their comments. -1 Troll, -1 Flamebait, and -1 Overrated are not, and never will be, acceptable substitutes.

Could that headline be any more impenetrable?

[andrewagill]

If you want to make it a little more accessible, why not something like ``Google-discovered HCP vulnerability exploited?'' Maybe ``Google-found flaw seen in the wild?''

What you have for the headline now sounds about as intelligible as the mock-Slashdot headline that Penny Arcade came up with, ``Linux crypto hackers open-sourced the BSD Microsoft monopoly''

An off topic troll that can actually read?

"After reading several parts of that" - by Anonymous Coward on Wednesday June 16, @12:34AM (#32587286)

Dearest Anonymous Troll: When you get some technical expertise in this art & science of computing? Then, perhaps, I will BELIEVE you CAN actually READ!

(Especially technical material of the nature this forums section is about, & in case you hadn't noticed it? You're off topic, troll...)

In fact, I'd wager your "dull brain" went "pop" the instant it encountered a word that had over 2 syllables in it & since it wasn't written in HUGE letters & in single syllable "See Dick and Jane run" style.

APK

P.S.=>

"Sorry about the sarcasm, it was UNAVOIDABLE." - by Anonymous Coward on Wednesday June 16, @12:34AM (#32587286)

Likewise/same here... apk

Re:An off topic troll that can actually read?

Look, your style of writing is really difficult and long winded. Feel free to continue writing like you do, but don't be surprised if people won't pay attention to you -- and don't fool yourself into thinking that only illiterate idiots will skip your posts. The issue here is not the readers but the writing. Have you not wondered why you so often end up in this sort of discussion?

Re:This is classic Tavis.

The question is not whether the exploit had been used prior to disclosure. The question is, on what scale has it been used before it, and how wider is that scale now due to disclosure?

Or, simply put, how did the chance of being affected by this increase or decrease for an average user? If it increased significantly, then clearly this "hurts the consumers".

Responsible disclosure?

[HockeyPuck]

Ok so I can see why someone would inform MSFT and for that matter the world that there is a serious problem with some component in an OS. However, what I don't understand is why he would find it necessary to disclose code to exploit the bug? At that point it becomes a race condition between sysadmins checking/protecting and black hat hackers building malware to take advantage of it.

Re:Responsible disclosure?

[Todd+Knarr]

Because he told Microsoft privately about it, and Microsoft refused to even discuss when they'd be fixing it. Which basically translates to "We have no intention of fixing it. Nobody knows about it, so we won't suffer any penalty for leaving it unfixed.". To them the problem isn't the technical one of the bug existing, it's the PR one of their users knowing it exists. They want to "fix" the problem not by fixing the bug but by insuring their users continue to not know about it.

Well, now we know about it, so Microsoft has no choice but to actually fix it. They could've avoided the whole black eye by simply agreeing to fix it in the first place, but no they had to take the embarrassing route instead. To quote my dad, "See this? This is the world's smallest violin, playing the world's saddest song, just for you.".

Re:Responsible disclosure?

[Rockoon]

Because he told Microsoft privately about it, and Microsoft refused to even discuss when they'd be fixing it.

According to TFA, Microsoft told him on 6/7 that by the end of the week they would have a release schedule worked out.

So this guy then releases the exploit on 6/9, 2 days later, only half way through the week.

I think that Ormandy is living a myopic life. Two days for him is like an eternity, so he holds everyone else to his warped view of time. The release of the exploit wont effect his systems, so he thinks that nobody else will be harmed by his actions. His system doesnt require the help center protocol to be functioning, so nobodies system must require it to be running.

During the last article on this on slashdot, many people decried that Ormandy was acting alone, that Google therefore wasn't responsible for his actions here. But in this round of shlashdot comments you see many people decry that Google's reporting procedures trump Microsofts.

I think its bizarre that people will twist their logic up so much just to support their preconceived notions. Very few have taken the stance that Microsoft puts out shitty software AND Ormandy is a little shit that deserves a public stoning. You clearly think that he doesn't, and you are wrong.

Bystanders are going to suffer this month only because both "Microsoft puts out shitty software", and "Ormandy was irresponsible and helped every malware author" is true.

Re:Responsible disclosure?

[Hatta]

The sooner I know there's a bug, the sooner I can turn off the affected service and the safer I'll be. Ormandy did the public a favor.

Re:Responsible disclosure?

[noncommercial]

It seems to me that you missed the part where Ormandy tried for five days to get Microsoft to COMMIT to a timeline. Seriously, it doesn't seem like you actually read the whole article if you missed that.

Re:The bad guys thank you Tavis.

[sohp]

It only seems contradictory for people who don't understand the meaning and implication of true full disclosure. Everyone else understands how security through obscurity rips of the consumers and transparency is the only thing that allows users to have the information they need to make optimal decisions about what software to buy.

Conspiracies? Let us have some

[symbolset]

Google could probably release an exploit like this every day if they wanted to - or ten of them. They index the Internet, and that includes the nasty corners where such things are as common as rude pictures on 4chan. Why should they care? They don't use Windows internally any more.

Re:The bad guys thank you Tavis.

[c0lo]

truly ethical approach to take to protect the consumer;

So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?

That has to qualify as one of the most ignorant statements I've ever seen.

I reckon that, to some extent, the percentage of "murder by shooting" in the cause-of-death statistics will go very low indeed... while the "manslaughter by shooting" will... so to say... shoot to the sky.

Re:The bad guys thank you Tavis.

[mtremsal]

Remove all warning labels and let the problem fix itself

I wouldn't call this approach 'ethical'.

Re:The bad guys thank you Tavis.

So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?

That's a ridiculous analogy.

Full disclosure is more like if every person with a gun also carried a flashing disco light and a boombox playing "I Shot the Sheriff". Then, you would be aware of the potential for an unusually dangerous situation, and you could use that information to make decisions.

Re:The bad guys thank you Tavis.

So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?

That has to qualify as one of the most ignorant statements I've ever seen.

No this is like saying that the safety on the gun we are selling you may not work and you can end up killing someone even though you do not intend to.

That has to qualify as one of the worst analogies I've ever seen.

Re:bring it

Because it works fine for everybody else? Get some new hardware.

I'm surprised you even bothered to reply...

much less read that tirade. Please don't -- you're only encouraging him to post his crap all over the forums. He's already posted what (from a cursory skimming) looks like an identical comment further up in this article.

He's also seems to be somewhat mentally unstable -- accusing various people of conspiring against him, posting threats of "legal action" (yeah, on the Internet), etc.

Re:The bad guys thank you Tavis.

[dropadrop]

truly ethical approach to take to protect the consumer;

So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?

That has to qualify as one of the most ignorant statements I've ever seen.

I've found that if I report somebody with an illegal weapon it's generally taken care of very quickly, so maybe not the best analogy...

Re:The bad guys thank you Tavis.

You're complaining because your processes are failing. Call the wahhhmbulance. In the meantime, someone else could have discovered the exploit and be using it, which is why you've been bitten by so many from the wildlist this year, and had to do out-of-sync patches.

Well, you need to be faster. Much faster. As fast as open-source software. Don't say you can't do it: we can, and you have more money and lots of people. Anything else is a management problem. Corporate inertia is a bad fucking excuse, and it won't wash.

Patch Tuesday is your problem. You agreed to it. We told you it was a bad idea. We understand why the IT guys in big corps want to do it, but that is their problem. Security is our problem. And bad updates, and updating needing reboots, is your problem.

Full-Disclosure was invented because you guys refused to fix shit. You did it for years before you took security seriously, and we remember, so if you fail to take security seriously and give us serious timescales for timely release of a patch, we are going to take security seriously by making sure everyone knows about it so they can block it.

Even "responsible disclosure" never advocated more than 28 days. If, on the other hand, you have a process now which doesn't even give us an ETA in 5 working days, you're asleep at the wheel again, and people need to know.

Next time, you get 4 days. Then 3. Then 2. Then 1. Then, you get zero days, just like the old days.

Now, where's that fix?

Re:The bad guys thank you Tavis.

[LordLucless]

Even on Slashdot, that's the worst analogy I've seen. You're not encouraging people to commit crimes themselves; you're not providing them with equipment needed to do so.

It would be more analagous to letting people know there's a murderer on the loose, and they should be on their guard before you've caught him, instead of holding off on the notification so that you don't look so bad.

Good news

[theunixman]

At least now people who would not have known about a potential attack vector can take precautions and be safer without having to wait for Microsoft to introduce more vulnerabilities when they come up with a "fix" for this one.

Re:The bad guys thank you Tavis.

So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?

If having a gun meant that you could fiddle around with it, and use it to create a shield that made you impervious to bullets (in the same way as being aware of an exploit makes it possible for people to patch their own systems) - then yes, that would be a good way to prevent shooting deaths.

Analogies can be misleading.

Re:The bad guys thank you Tavis.

[slinches]

So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?

That has to qualify as one of the most ignorant analogies I've ever seen.

It's more like putting up a billboard that says "The most widely used door lock on the market can be easily punched out with a captive bolt pistol"

Re:The bad guys thank you Tavis.

I'm not sure the analogy is a good one.

This isn't cars (sorry), but this is how I see it: if your city tap water was discovered to have a high amount of lead in it in the latest round of tests, what would you do? Tell everyone "Hey, there's probably lead in your water, you should make sure you filter it or use bottled water for the next week until we get our filtration systems fixed." or do you wait a month and test the systems again and see if there is still lead before issuing a statement?

The only people that get hurt by the early information are ones that aren't paying attention to the big orange fliers left in the mailbox (or ones that simply don't care). But potentially lots of people can get hurt if you tell no one. I think I would opt for early information. Maybe people would have to scramble a bit at first, but they'll get over it, I'm tired of our society putting off problems until further down the road when it becomes the 800 lb gorilla, with bigger consequences and now impossible to ignore.

Re:The bad guys thank you Tavis.

Its more like telling everyone their door locks on their house are vulnerable. The people that are knowledgeable can work around it by bolting the door closed (disable the service), everyone else can hire someone to do it for them.

I'd like to hear about the threats as they come out, so I may mitigate my risk.

Since I've been modded down...

[ratboy666]

And I really don't understand why, I'll quote the article

"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."

So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?

Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).

Re:Since I've been modded down...

[drzhivago]

Of course it was fixed two months sooner. It was out in the wild, whereas beforehand it was not.

A security exploit that's readily known is going to be a much higher priority than one that isn't.

Re:Since I've been modded down...

[PsychoSlashDot]

This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?

Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

This gives users an guaranteed exploit that they otherwise only had a potential risk of having. Instead of maybe someone else finding this exploit that's been lurking in the code for nine years, we now have the glorious option of knowing about and implementing an out-of-schedule fix, or definitely being exposed.

That's right. The risk has gone from trivial (no known exploit) to significant (known exploit). Orders of magnitude? No. Effectively zero to arbitrarily non-zero is basically infinitely worse.

Users and admins both lose here.

Re:Since I've been modded down...

[Thugthrasher]

Microsoft had to release a "remedial fix" for an exploit that was known and in the wild. This remedial fix breaks all local, legitimate help links. This could affect users who, y'know, might want to use said help links. If this exploit was still unknown, these users would be able to use their help links without much legitimate chance of being attacked. This could have given Microsoft time to patch in a fix that DIDN'T break all the help links. And while you or I might not use help links all that often, there are users who do.

Re:Since I've been modded down...

[Kijori]

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

That's only true if you think that the timing of the Google engineer's release of the hole and people beginning to exploit it is entirely coincidental. On the other hand if you think there might be a causal link to explain the exploit appearing shortly after he told everyone how to exploit it, admins are in fact more vulnerable now.

And comparing the "response times" is only possible if you think that the two responses - releasing a hotfix that removes functionality and releasing an update that fixes the problem - are identical. If the security update comes out in the near future then all the Google engineer has done is inconvenience users by forcing Microsoft to remove functionality that otherwise would not have been a risk in the window before a patch was released.

Re:Since I've been modded down...

[ratboy666]

I'm quoting your entire reply. Simply because it illustrates a few things very well:

"Of course it was fixed two months sooner. It was out in the wild, whereas beforehand it was not.

A security exploit that's readily known is going to be a much higher priority than one that isn't."

Let's take these points in order, "whereas beforehand it was not" -- and just HOW do you know that? I certainly didn't know it.
Which lead you to your second point -- the "priority". There are several conflicting priorities here. One is the public relations priority. And, in this case you are right... But I don't care about the vendor's public image.

Another is that a readily known security exploit that has a trivial work-around has LOWER priority than one that isn't "readily known". I can defend against the first (example, my laptops X server was listening to the internet. Easily hardened, just remove TCP listen except from localhost). The second? If there is no published defence I consider myself rather screwed.

I assume that as soon as a defect is located, it will be talked about. Simply the knowledge that a defect is in an area might direct a "black-hat" to investigate. Or, the information may leak out of the vendors lab. All it takes is a bit of social engineering. I'd hire a hooker and go after the geekiest guy in the vendors lab. Sometimes, the bug report databases are published to "trusted partners". The vendor may trust the (for example) Chinese Government, but I don't.

This is just classic spying. Easier because its lower risk (you won't get shot for leaking a 0-day). But, it happens:

http://www.esecurityplanet.com/cisco/article.php/3354851/Cisco-Investigating-Stolen-Source-Code.htm

Cisco, Microsoft, others.

So, the clock is already ticking EVEN IF FULL DISCLOSURE IS NOT MADE. The only thing that this "responsible disclosure" does is give the vendor a PR break, and maybe (MAYBE) IF the vendor has appropriate security policies in the lab, allows the hold to be plugged without black-hats finding out. Maybe.

Re:Since I've been modded down...

[Flea+of+Pain]

This could affect users who, y'know, might want to use said help links.

BAH HA HA HA! If anyone is actually using those help links for help, they should probably get their head checked. The disabling of the help links really needs a "andnothingofvaluewaslost" tag.

Re:Since I've been modded down...

[Monchanger]

And comparing the "response times" is only possible if you think that the two responses - releasing a hotfix that removes functionality and releasing an update that fixes the problem - are identical.

I think the only thing that matters is that my nana's computer doesn't start sending her bank information to some asshat on the other side of the world. Even if she did use the help system and needed to call me twice as much to figure out how to do something, that's worth the extra security. So when looked at from that point of view, they are indeed identical.

Re:Since I've been modded down...

[Thugthrasher]

Do you work or know anyone who doesn't really know computers very well? A lot of them go to the help links when they need something. A lot less now than did it 10 years ago, sure, but it still happens. And some legitimate applications use hcp protocols for their help. And sometimes when you're using a new application, going to the "help" can get you your answer quicker than on the internet (especially if it's not a program used by millions of people). I haven't used Windows Help & Support in ages, but sometimes when I am forced to help support a user using a program I've never used before, I find the program's help files to actually prove useful. Especially if it's an odd program that is only used by a group of people in a certain business.

Re:Since I've been modded down...

[Kijori]

My point is that it's meaningless to claim that the response time has been improved by comparing two different responses; the hotfix was able to be produced quickly but was unnecessary until the Google engineer made the vulnerability public. The actual fix will still take a long time, what's changed is that Microsoft were forced to react to a threat that previously didn't exist - people exploiting this bug.

Re:Since I've been modded down...

Except the threat existed.

Re:Since I've been modded down...

[Monchanger]

a threat that previously didn't exist

And you can prove this how? The banner you and your friends are waving is called "security through obscurity". It has never and will never work.

Stupid statements like "we've been fine for nine years!" ignore the fact that Microsoft's security failure did not take nine years of work to discover and exploit. There is no guarantee that it won't be discovered several times following disclosure yet prior to patching by persons with malicious intent.

If the only people who looked for exploits were benevolent, I'd be so casual about them too.

Re:Since I've been modded down...

[Just+Some+Guy]

This gives users an guaranteed exploit that they otherwise only had a potential risk of having. Instead of maybe someone else finding this exploit that's been lurking in the code for nine years, we now have the glorious option of knowing about and implementing an out-of-schedule fix, or definitely being exposed.

Do you think all those Windows machines tethered to giant botnets got there because each owner refused to install the available security updates? Is it just remotely possible that some of those machines got owned by exploiting vulnerabilities that haven't been published yet? I will never 'til my dying days understand the logic that results in "I didn't know about it therefore I was safe until someone told me."

Re:Since I've been modded down...

[PsychoSlashDot]

Do you think all those Windows machines tethered to giant botnets got there because each owner refused to install the available security updates? Is it just remotely possible that some of those machines got owned by exploiting vulnerabilities that haven't been published yet? I will never 'til my dying days understand the logic that results in "I didn't know about it therefore I was safe until someone told me."

Actually, I know that the vast majority of owned WinXP boxes I've encountered have been owned because they users clicked all over the place. I've seen very few drive-by attacks.

Ever since the advent of Fake AV attacks, users have lost their minds. And now that user-mode infections (ie. things that just drop in the local user profile and don't modify the PC), you don't even need admin rights.

User browses to a compromised web site. User sees a warning that they're in deep, deep trouble. User clicks on the "save me now" button. User screws self.

Re:Since I've been modded down...

Insightful? This kind of reasoning should be modded funny...

Re:Since I've been modded down...

Of course it was fixed two months sooner. It was out in the wild, whereas beforehand it was not.

Hmm. Please excuse me for being blunt: Are you stupid?

You know fuck-all about whether it was out in the wild or not. Just because you didn't know about it says absolutely nothing about whether the black-hats did.

Do you actually believe only those things you personally see exist?

You have a rough awakening ahead of you...

Re:Since I've been modded down...

[strikethree]

Except the exploit has already been seen out in the wild. How do you think people without any administrative privileges whatsoever have been getting their machine "rooted" for the past three months by fake anti-virus software? There is far more here than meets the eye upon first inspection.

The only responsible course of action is full disclosure as soon as possible. Those 5 days in which it could have been public but was not were 5 more days of computers getting infected with hostile code.

Regards,

strike

Re:This is classic Tavis.

[abigsmurf]

Whether or not it was used or not doesn't matter. The point is, it wasn't WIDELY used.

Lots of people know how to make incredibly toxic gases with household ingredients. Would you then say it's perfectly fine to show a step by step guide telling you how on a prime time TV show?

Just because there's a possibility that a select few may already know something dangerous that doesn't mean it's morally fine to tell as many people as possible.

Re:This is classic Tavis.

[rdebath]

For a proficient admin you are correct.

But many of them are not, they are occasional admins who don't check FD on a daily basis. If their machines get owned it impacts ME. OTOH, I can wait a little while, I have things for general mitigation of all threats that work a lot of the time with any attack. Layers you know.

This means I want the vendor to be told first so they have a chance to fix all those other machines before the exploit is on s-kiddy release by every two bit crook who thinks they can make a penny.

OTOH, if the vendor doesn't move quickly, I need to know the exploit so I can put in specific mitigations.

It appears that Tavis Ormandy has done this correctly, because Microsoft were reportedly ignoring him.

Zero day,,,

[sqldr]

Google outed this 2 days ago. So it's not Zero-day, is it.

Maybe Google wants to embarrass Microsoft

[AlgorithMan]

He gave them 2.5 times the time that would be needed to get a fix into all mayor linux repositories. Maybe they wanted to expose how much slower Microsoft reacts to security threats (i.e. how insecure Windows is, compared to Linux and its descendant Chrome OS)

Get your terms right!

[AlgorithMan]

Google-Outed Windows XP Zero-Day [...]
his decision to reveal the flaw only five days after reporting it to Microsoft.

Don't you know what ZERO-day means? This is a FIVE-day!

Re:This is classic Tavis.

[Sir_Lewk]

Lots of people know how to make incredibly toxic gases with household ingredients. Would you then say it's perfectly fine to show a step by step guide telling you how on a prime time TV show?

I have a feeling this isn't the answer you are looking for, but yes.

I also support local public libraries stocking copies of the Anarchist Cookbook. People tend to get overly emotional about this sort of thing, and fail to properly analyze risk.

The kind of people who are mentally unstable enough, and have the drive to carry through a deadly gas attack are also the kind of people who've probably looked it up on the internet already. Teaching your average joe-smoe and his grandmother how to do it likely isn't going to raise the likelyhood of it actually happening. Besides, if you think about it, we already have several "cold case" shows on television that explain in pretty concise detail how to murder a loved one and throw off the police for decades. This is considered good wholesome entertainment by the general public, so why not throw some chemistry into the mix?

Similarly, anyone who interested in other forms of domestic terrorism or mischeive probably already has a copy of the anarchist cookbook, and anyone who pwns windows boxes for fun or a living no doubt already has a dozen and a half tricks up their sleeve.

TFA mentions a single instance of this exploit in the wild, it hardly seems as though this public disclosure has caused a sudden rash of pwn'ings.

MISCREANTS !!11!! THOSE BASTARDS !!!!11!!!

[unity100]

them little sneaky kniving whippersnapppers !!!

.........

whats with the shitty adjective preappending in front of the title thing ?

"Silly little man"

For someone who repeatedly demonstrates his stupidity, naivety and inability to stray from the Slashdot groupthink, you sure are condescending.

Anyway, this doesn't prove anything, because security-through-obscurity and full-disclosure of bugs are orthogonal issues. But seeing as you're one of those idiots who *is* impressed by shit like this, I guess that is irrelevant.

Get back to the mindless MS bashing, silly little sheep.

Re:"Silly little man"

[arose]

Anyway, this doesn't prove anything, because security-through-obscurity and full-disclosure of bugs are orthogonal issues.

An unsubstantiated opinion (if you can call it that) dressed up as a fact.

Why Not Disclose the website?

[hduff]

What harm is there in disclosing the website? Especially if it is a FOSS-focused one. That's just wrong.

Re:Why Not Disclose the website?

[emoreau]

Because the whole story is bullshit. The "security" vendor wants to scare people, so they can sell more antivirus crap. These people are afraid that their business model is dying (and it is). They want you to think that disclosing vulnerabilities is bad, they want you to think that open source sites are vulnerable, they want you to think that security is something that can be bought by the pound (or the kilogram). Plus this kind of story helps Microsoft showing that Google is evil.

Can we PLEASE...

...just ban any use of the term "Zero Day" on Slashdot? When everyone uses it incorrectly just because it sounds cool we all sound like idiots.

Re:Can we PLEASE...

[baka_toroi]

It's incredible (not really) that a tech-related site like Slashdot gets that term wrong over and over again. kdawson, stop fapping to furry porn an get a clue.

Dear Ford Owner

[Rogerborg]

I've just found a way of easily opening and starting your Ford using common household tools.

I'd love to tell you how it's done so that you can take measures to protect yourself, but you know, it would be irresponsible of me to give you that information.

No, the responsible thing to do is to let Ford know, secretly, and give them as much time as they need to investigate it and issue a recall to fix the problem. If they feel like admitting to it. And if they don't, I'll keep quiet indefinitely, just in case I'm the only person in the world who can figure it out, ever.

If your Ford gets being stolen in the meantime because someone else figured it out, or already knew, then that's just an acceptable consequence of my responsibility, which is apparently to Ford, the company that created the problem in the first place and profited by selling a defective product, not to you, Ford's customer, the victim.

Fair enough?

Re:Dear Ford Owner

Are you sure you're not like "GoodCarAnalogyGuy"?

Re:Dear Ford Owner

Even thief's what don't want to drive? Or did you mean 'thieves'?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Time to tear YOU, apart (too, Too, TOO EASY)

"That's not what a HOSTS file is meant for, and you should generally not optimize for the abusive case." - by Your.Master (1088569) on Wednesday June 16, @01:40AM (#32587616)

Again, really? Funny, but Mr. Oliver Day of SECURITYFOCUS.COM feels otherwise:

---

RESURRECTING THE KILLFILE:

(by Mr. Oliver Day)

http://www.securityfocus.com/columnists/491

PERTINENT EXCERPTS/QUOTES:

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now."

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

---

So do the folks @ MVPS.ORG, BlueTack/BISS, & other sites that are dedicated to use of a HOSTS file, as well as myself, & those who use "Spybot Search & Destroy" also (because it populates a HOSTS file vs. known bad sites &/or servers too), & also there is this "pertinent quote" from a user who tests it for me as well & his results:

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60

---

"Your five megabytes of HOSTS file is probably irrelevant compared to real performance problems." - by Your.Master (1088569) on Wednesday June 16, @01:40AM (#32587616)

Oh, really? Well, it seems that even Foredecker (Senior Manager of Microsoft's "Windows Client Performance Division" whom I referred to above) even felt otherwise & said that a larger file reads slower than a smaller one would... & using a smaller blocking address lends to that "smaller, faster, & more efficient", period... any fool knows that in fact (except you it seems).

---

"Ideally you'd just use your application's native method for dealing with address-blocking" - by Your.Master (1088569) on Wednesday June 16, @01:40AM (#32587616)

A single-layer that may have bugs in it, such as Firefox addons have had & that ONLY work for that particular application, whereas HOSTS files work "universally" blocking out more than potentially bad content that foists malware on users? No thanks... Why should one give up a SINGLE FILE that provides more security & more speed from just 1 file??

(I have entire scores of people above you can "argue the numbers & results" with, so, go for it... good luck!)

DNS servers are another, & you can ask Dan Kaminsky OR Moxie Marlinspike about all the bugs in DNS servers out there (big news for 2-3 yrs. now in fact).

---

"and if you need a blanket block such a huge number of addresses then a local proxy is the way to go, eg. Privoxy." - by Your.Master (1088569) on

Temporary fix link

I haven't seen anyone link to Microsoft's temporary fix yet. Essentially you modify the registry to disable the hcp: protocol by deleting the relevant key (they also advise you to export the relevant bit of the registry so you can restore it later, presumably after a real fix is available). Steve Gibson uses the approach of simply renaming the relevant key, although I wonder if that would still be vulnerable to some kind of fuzzing attack. I suppose if you rename it to a key that is really long, it is less likely to be an issue.

One question I haven't fully answered yet is what is actually lost if the hcp: protocol is disabled. The Microsoft advisory says this:

"Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work."

But should I care? Everything I tried in Control Panel seemed to keep working fine. Do they mean if you or some software package put an hcp: link in there? What is there in a default XP install that actually uses hcp: protocol?

Kalriath: Is that "the best you've got"?

"Please don't encourage APK. He posts his hosts file bullshit in every Windows thread in existence." - by Kalriath (849904) on Wednesday June 16, @04:31AM (#32588342)

See subject line above, & try a reply that is on topic (you clearly are not) and has pertinent evidences in it... like this one from myself to "The Master":

http://it.slashdot.org/comments.pl?sid=1687452&cid=32589278

(By the way: Anytime you can technically disprove what's written by myself in that URL above, feel FREE to do so, because then? Then @ least, you'd be "on topic", instead of being the OFF TOPIC TROLL YOU CLEARLY ARE, ad hominem attacks & all directed MY way!)

However - this isn't the first time I've shut up all of /., & it won't be the last (lol, everytime I put up what's in the URL above, the "sheep of /." ended up calling names & such, much as you seem to be implying, as the "best they had" vs. my technical points in favor of a HOSTS file... everytime, it is hilarious!)

APK

P.S.=> The way I see it, is this, in regards to my naysayers on the account of HOSTS files. They are either 1 of 3 kinds of people whom HOSTS files threaten badly:

---

1.) A malware maker who realizes that his days of robbing others OR enslaving & ruining their systems is jeopardized by a HOSTS file

2.) Webmasters living off of people's views of their website (with ANNOYING ads that slow you down OR can infect you as well (plenty of proof of this exists over the past 1/2 decade now online in fact, it's no secret))

3.) A fool

---

Take your pick... apk

Re:Kalriath: Is that "the best you've got"?

[Kalriath]

Oh, I see. Anyone who disagrees with you is either a malware maker, a webmaster that relies on annoying ads, or a fool.

And you're accusing me of ad hominem attacks. That's rich.

Anyway, you're using hosts files for something they're completely unsuited for, and you're arguing in favour of violating the TCP/IP spec to suit your incompatible use case.

I'm unsurprised that Microsoft ignored you, and frankly were I in their place I'd do the same.

don't forget comments with smug self-superiority

[circletimessquare]

like yours, for example

The "best of /." & off topic ad hominem attack

"He's also seems to be somewhat mentally unstable" - by Anonymous Coward on Wednesday June 16, @02:19AM (#32587802)

See subject-line above, & answer that question. Do you have a license to practice Psychiatry, + years of proven professional experience in it, and have YOU performed a formal psychological evaluation on myself in professional environs??

No to all of the above???

Of course...

(Get back to us when you have those things, because otherwise? You are libeling myself, and performing a blatantly off topic ad hominem attack on myself!)

I'd also like to see where I stated explicitly that others are "conspiring against me"... show us all that, ok? Insinuations & putting words into others mouths they never stated on your part?? Please... go away now, off topic troll.

APK

P.S.=> As-per-usual? "too, Too, TOO EASY", just too easy... Typical of the results of the trolls at slashdot, with their ad hominem attacks, vs. technical FACTS + testimonials which I use, such as this reply here -> http://it.slashdot.org/comments.pl?sid=1687452&cid=32589278 (as well as my init. post here also) in this very exchange to a "naysayer" (fearful malware maker or maliciously coded site webmaster imo) & everytime no less... hilarious! apk

Re:The bad guys thank you Tavis.

[azrider]

Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit.

In order to believe that Tavis Ormandy is at fault, you have to believe the following:

• Ormandy is the only researcher who found the issue.
• Ormandy released the information strictly to embarrass Microsoft.
• Prior to his release, the bug had never been exploited by anyone.
• If he had not released the details, no one would have known about the problem, so there would be no risk.
• Microsoft was working diligently on a fix as soon as they knew.
• Tavis Ormandy, working strictly from observed behaviour, is smarter than Microsoft's programmers (who have access to the code).

Based on past history, I would conclude the following:

• Ormandy did indeed notify Microsoft prior to public disclosure.
• He tried (unsuccessfully) to pin Microsoft down to a commitment to fix the problem.
• When that failed, he disclosed the issue to the public.
• We now know (almost immediately) about an exploit because now the A-V vendors are looking for it, not because his information made the exploit possible.

Had he not gone public, Symantec, Sophos, McAfee and the others would not have added it to their definitions. In point of fact, by disclosing the specific attack profile he made it possible for them to release a protection protocol that much sooner.

Re:This is classic Tavis.

[Hatta]

Lots of people know how to make incredibly toxic gases with household ingredients. Would you then say it's perfectly fine to show a step by step guide telling you how on a prime time TV show?

Yes, of course, absolutely, without question. What possible argument could you make against it? Anyone who wants to hurt people can figure it out on their own. The only effect airing it on TV would have is to make normal people more aware.

Opinions clearly vary, see inside... apk

Per my subject line above, here are some "evidences to the contrary":

"but don't be surprised if people won't pay attention to you -- and don't fool yourself into thinking that only illiterate idiots will skip your posts." - by Anonymous Coward on Wednesday June 16, @09:08AM (#32589602)

This is the list of some of the posts I have been modded up in & where people actually read what I wrote & liked it apparently:

====

+5 'modded up' posts by "yours truly" (4):

http://it.slashdot.org/comments.pl?sid=1139485&cid=26975021

http://it.slashdot.org/comments.pl?sid=1139485&cid=26974507

http://it.slashdot.org/comments.pl?sid=170545&cid=14210206

http://hardware.slashdot.org/comments.pl?sid=175774&cid=14610147

----

+4 'modded up' posts by "yours truly" (4):

http://slashdot.org/comments.pl?sid=161862&cid=13531817

http://developers.slashdot.org/comments.pl?sid=167071&cid=13931198

http://tech.slashdot.org/comments.pl?sid=1290967&cid=28571315

http://tech.slashdot.org/comments.pl?sid=1461288&cid=30273506

----

+3 'modded up' posts by "yours truly" (5):

http://developers.slashdot.org/comments.pl?sid=155172&cid=13007974

http://it.slashdot.org/comments.pl?sid=166850&cid=13914137

http://slashdot.org/comments.pl?sid=175857&cid=14615222

http://slashdot.org/comments.pl?sid=273931&threshold=1&commentsort=0&mode=thread&cid=20291847

http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261

----

+2 'modded up' posts by "yours truly" (25):

http://it.slashdot.org/comments.pl?sid=158231&cid=13257227

http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367

http://science.slashdot.org/comments.pl?sid=158310&cid=13263898

http://it.slashdot.org/comments.pl?sid=1361585&threshold=-1&commentsort=0&mode=thread&cid=29358507

http://it.slashdot.org/comments.pl?sid=158231&cid=13257227

http://slashdot.org/comments.pl?sid=290711&cid=20506147

http://slashdot.org/comments.pl?sid=245971&cid=19760473

http://it.slashdot.org/comments.pl?sid=416702&cid=22026982

Uh, blackhats knew the 'sploit

Uh, blackhats knew the 'sploit. Users knew that there was a problem, so they could lock that down, which would have made ZERO zeroday exploits. So having been exploited would be the fault of the person who knew there was a fault and didn't protect against it.

This argument is stupid

[deathtopaulw]

This is Windows XP. It is a piece of abstract digital art depicting the life of a block of swiss cheese. "Responsibility" about security holes has nothing to do with this. There are probably 500 other known ways for someone to hijack your shitty ancient pc. Shut up.

Let's play "shoot the messanger"

[arose]

Microsoft made millions, possibly billions, of XP, but still can't deal with security problems. Instead, let's all point fingers to the guy who made us aware of the threat, just look at how irresponsible he is for warning us! Microsoft on the other hand is big and responsible, why they still give you hundreds of fixes for your lousy system for free, it's not like you bought it expecting functionality and at least a reasonable amount of security. Just don't complain when they decide to stop patching, it's all for your own good.

Hooray for benevolent, responsible Microsoft! Boo for evil, childish hacker!

Re:Let's play "shoot the messanger"

[DaveV1.0]

Yes, let's point our fingers at Ormandy.

You kind of skipped over the fact that Ormandy only gave MS 5 days to fix the problem before alerting the world and providing exploit code.

Microsoft is a huge corporation and has to both check his work and then get a fix written and scheduled for release. Things take time in a huge corporation. Not giving MS time to create a patch and distribute it is being an asshole and Ormandy is responsible for any infections because he couldn't wait a week.

Re:Let's play "shoot the messanger"

[arose]

You kind of skipped over the fact that Ormandy only gave MS 5 days to fix the problem before alerting the world and providing exploit code.

It is Microsoft's obligation to fix their shoddy work, third parties are not responsible for making them look good. Besides you kind of skipped over the fact that he gave them 60 days, if they would commit to that within the five days you claim he gave them. They didn't, I can't blame him one bit for keeping everyone vulnerable for an indefinite amount of time.

Microsoft is a huge corporation and has to both check his work and then get a fix written and scheduled for release.

Funny, they test hundreds upon hundreds of patches to some arbitrary high standard that doesn't allow them to commit to a 60 day fix, yet they can't test their OS worth shit?

Not giving MS time to create a patch and distribute it is being an asshole and Ormandy is responsible for any infections because he couldn't wait a week.

Microsoft introduced a vulnerability in a Microsoft developed OS that Microsoft sells (EULA disclaimers notwithstanding) as a generally useful, internet worthy software. They, and only they, are responsible for any infections that occur as a result of their negligence. Blaming third parties for informing us of problems MS would prefer to sweep under the carpet to be dealt with (or not, as the case with EOL may be) is beyond ridiculous.

Re:Let's play "shoot the messanger"

[DaveV1.0]

I see. So, even though he has no idea how long it will take to fix and test, Microsoft should agree to his arbitrary deadline and if they don't he will release exploit code. That is different from extortion how?

"They test hundreds upon hundreds of patches" Funny, do you make things up often? He said "Hey, found this exploit. Fix it or else." Seeing as you seem to know everything exactly how much code needs to be changed and how many tests need to be run? How long it will it take?

"yet they can't test their OS worth shit" Yet, it took 9 years for someone to stumble upon this.

Blaming third parties for informing us of problems MS would prefer to sweep under the carpet

So, wanting to be able to give a definitive answer is, in your mind, sweeping things under the carpet. At least you have shown how your mind works. What is it like to be a paranoid?

Re:Let's play "shoot the messanger"

[arose]

What is it like to be a paranoid?

You tell me, I'm not raving about extortion.

How enterprise security updates are born.

Let me explain something to all of you “network admins” who still work out of mom and dad’s house. In the real world 5 days isn’t that long, even for only an initial response. I routinely wait two weeks just to get technical callbacks from companies I want to spend money with. I know it’s not as instantly gratifying as your last FRAG but that is the way things work in the real world (not MTV).

I don’t like the role of Microsoft apologist; and I think Microsoft has some answering to do sense hints of this type of problem have been circulating for a quite while now. However I don’t think most of you even have a clue to the scale and sophistication of the Microsoft security effort. Here is a summary I got from a Microsoft engineer a few years ago.

First they have to reproduce the issue. Then Microsoft contracts 3rd party independent security professionals to rank the significance of each vulnerability. After that they have to debug and code review the existing code to determine if it is vulnerable to more than the original disclosure. Then they need to determine if the problem is a simple buffer overflow or a design problem. If it is a design problem they need to consult with the OS and applications divisions. Then they need to code the fix. After they have a fix they regression test it; not only against their 6 current operating systems and every supported service pack; but against their own huge software library and a massive collection of 3rd party software. That’s right Microsoft tests their updates against 3rd party software to make sure their update does not break your games so you can continue to FRAG your friends. They are not always successful; especially when Google jerks force pre-mature updates but at least they try. Assuming that everything works correctly the first time around; and anyone who has written more than a few line of code knows that that NEVER happens, you have a brand spanking new security update 30 to 90 days later.

I don’t know how complete this is; and from my experience I suspect Microsoft skips some of the steps for certain types of patches but the point is that the processes of re-writing the vulnerable code is actually the quickest and possibly easiest step in the release process.

Think about the MacAfee blunder a few months ago and the millions of dollars companies needed to spend to fix it, and that was just due to a single poorly tested signature update. Last time I remember Microsoft doing something like that was 9 or 10 years ago when they crashed everyone’s exchange server with an OS update.

I’m sure many of you are great coders but that doesn’t give you insight into the world of enterprise development where one mistake can effect 60% of the world’s computers.

Travis Ormandy is like a home security door tester

[kernelcache]

If you are testing a door, which is supposed to be secure and determine that there is a flaw which can allow an intruder into the home through some non-obvious bypass mechanism then you have a responsibility to not divulge that information to someone other than your manager/company, and the company that manufactures the door. Putting a 3rd party at risk or the home owner is negligent. It's the same as not only telling criminals how to bypass the door's obvious security, but also creating a special tool to exploit the non-obvious security flaw. If you were a home owner that owned this door then you have an expectation that the door will operate as expected...not prevent intrusion in every possible case! The fact that someone took it upon themselves to expose you and your family to crime by exposing a non-obvious security flaw is....well criminal. Travis Ormandy and Google and Microsoft will probably all get sued if there are real damages that occur. I would even bet that Travis could face criminal charges. Since he didn't allow enough time for the door manufacturer to contact the home owners in order to replace or correct the flaw... I would argue that there is no point in releasing a security flaw, let alone a proof of concept exploit except for Travis Ormandy's own glory...and "look what I found" It's truly sad.

Not enough time!

[Runaway1956]

I just can't sit and read this entire discussion - time is short today.

I've read enough MS Fanboi whining to get their spin.

I've read enough MS haters to get their spin.

I've read several reasonable, middle of the road posts.

I've even read a couple of the off-topic racist bullshit posts.

Bottom line, to me, is that Microsoft brought this upon themselves when they enabled the browser to run the operating system. They created more vulnerabilities with that gimmick, than an army of security specialists have been able to close in a decade. A freaking ARMY of security people have been working with Windows XP for almost forever.

Come on, Microsoft. Just disable all the stupid bullshit. Issue a security update that disables IE from doing ANYTHING more than browsing the web. Let it have access to Java, Flash, and the other standard plugins - and nothing more. Anything facing the web should be as UN-privileged as possible, and still do it's job. You know it, we know it, everyone knows it - so MAKE IT HAPPEN!!

Meanwhile - people should really consider upgrading to Linux. Those who are stupider than me, should upgrade to Win7. (Hey, seriously folks, I'm not a physicist, a rocket scientist, a biologist, or even a meteorologist, and I figured Linux out!)

And, oh yeah. Fuck Microsoft, fuck Bill Gates, and fuck that chair throwing baboon who has replaced Gates. I never liked any of them. The next serious exploit to be discovered, I hope they give Microsoft only 48 hours. Bunch of douches.

Re:Not enough time!

[cdrguru]

Too bad Microsoft sold the idea of ActiveX to corporate America. There are millions of internal corporate applications that rely on ActiveX in the browser, running "privileged" code and writing stuff on the user's disk.

Microsoft and plenty of other companies use this as well. Yes, ActiveX was a silly idea from a security point of view, but it was "the" killer application that got things moving on the Web for Microsoft.

ActiveX as a technology allows for virtual unlimited extensability of the browser. ActiveX enables SaaS through a web page such that the application is downloaded, executed and removed from the computer all in a single step. Obviously it could be misused - and Microsoft seems to have thought that code signing would eliminate that as a problem. Except nobody, not even Microsoft, signs their executables.

So we have ActiveX: too unsafe for the Internet but just fine for the corporate intranet. Because of this annoying fact it isn't going anywhere anytime soon.

Re:Travis Ormandy is like a home security door tes

[Runaway1956]

Bullshit. If I find that Company Z's Security doors are easily bypassed by pressing a lever under the bottom edge of the door, I'll tell everyone I know, publish it on the interwebz, report it to the Better Business Bureau, and send reports to law enforcement at the local, state, and federal levels. If I could afford it, I'd hire a skywriter to write the news over every major city, too. Company Z deserves to go bankrupt and be put out of business for selling a door so easily bypassed.

google stinks

[usersky]

The very fact that this guy still works at Google proves that the disclosure of the exploit came as a job assignment from his employer. Never till now Google looked so terminally bad in my eyes. From "do not evil" to releasing exploits into the wild it's a short path it seems. I won't care about the scumbag that did this personally. What troubles me is that Google acts in a harmful manner to a great deal of it's users. Acting as a hackers organization may be still legal if you're a big enough company as Google is but it's sign about who are we dealing with when we search on the internet.

Anonymous Coward

So many aggressively defending the broadcasting of exploit info? I don’t see how it’s defensible in any case (except by those hoping to use the exploit, or those hoping the exploit will be used by others - hopeful most here are just the later)

Re:The bad guys thank you Tavis.

[Isarian]

Full disclosure is ONLY the ethical approach when you're working with a bloated company like Microsoft that cannot make commitments to fix problems. I'm head of QA at a software company and when a security problem is discovered in one of our products it is resolved within days, not weeks because I go to the head developer of the product directly for the fix. Our software is used worldwide and we take security very seriously. Of the security bugs I've handled during my time here that were not discovered internally, only one was reported to us privately and we had a fix in 2 days which was pushed out to customers the day after that build passed QA (4 days total for a fix). The rest were published as zero-day exploits online and got the exact same level of attention and focus, which is fixing it immediately.

During the process I stayed in touch with the person who reported it, providing updates and information about what steps we were taking, and also ensured they got credit for the find. I realize that a product like Windows can't be fixed in that short of a time, but the communication is the most important part of this process and it has to assure the bug reporter that their information is being taken seriously and acted upon. The burden here is on the software company, not on the reporter, because that reporter has to gauge their next move based on whether the developers will act on that information appropriately.

If Tavis tried to get a commitment from Microsoft for a fix and was blown off, good on him for reporting this publicly and getting a fire under their asses.

To the security researchers of the world - PLEASE, give the developers a chance to respond before assuming the worst.

Re:The bad guys thank you Tavis.

[kscguru]

Well, you need to be faster. Much faster. As fast as open-source software. Don't say you can't do it: we can

If this had been reported in open-source software, there wouldn't even be a fix, just a snarky e-mail (about as snarky as your post, actually) saying this was fixed four years ago and telling the user to upgrade. And woohoo, the latest (open-source) version is free! - when you don't count your time to do the upgrade.

Open source software doesn't support 9-year-old codebases; most open-source projects (core developers) only support top-of-trunk and even most open-source vendors (read: those who sell support contracts) only make 3-5 years out.

I've interacted with Microsoft security before. They are quite serious about fixing things, they have standards for what gets fixed on what timeline and they really do follow them, and get back in a REASONABLE amount of time (usually, ~1 week, not 2.5 business days). Generally, they ask whether a bug is being exploited in the wild. If it is, they react fast; if not, they take their time (a thorough investigation, not a rushed investigation), and not the refusal you naively claim.

The problem in parent's logic (and many other self-styled security exports) is assuming that their personal security issue is the single most important issue on the planet and applying scorched-earth tactics to escalate its priority - a sign of megalomania, not of responsible security research. Is a not-in-the-wild exploit more important than an in-the-wild exploit? Is a not-in-the-wild exploit more important than Joe's long-awaited vacation with his kids? Is a not-in-the-wild exploit worth risking breakage due to an unexpected conflict? Your personal answer to all these may be "yes"; it is plain arrogance to force that answer upon everyone else. That's the difference between responsible disclosure and (this Google idiot's) irresponsible disclosure.

Re:Travis Ormandy is like a home security door tes

[kernelcache]

Your theory as to the rationale behind publication of the exploit is flawed since you can be held as an accomplice to the criminal behavior that results from your release. For example if you know that someone is going to be a a specific place at a particular time and you knowingly release that information to people who are seeking to do harm to that person then you are an accomplice to their "means" and "opportunity", and your "motive" falls under the malicious intent category. Clearly the logic of this situation baffles many people why it would be questionable to release such information, which is obviously for the good of the public...until the public is harmed by it...they Mr. Travis Ormandy is no better than the criminals themselves.

"Do you expect me to talk?"

"No Mr. Ballmer...I expect you to patch!"

Re:Travis Ormandy is like a home security door tes

[Runaway1956]

There is no logic to your analogy. In your little scenario, I would be party to a conspiracy. In the case of the insecure security doors, I would be making public the fact that the security door company had been ripping people off. The case of Microsoft's vulnerabilities is very much the same as the manufacturer of the insecure security doors.

So, don't even try to equate consumer education with conspiracy to commit murder. You fail, dismally.

This is a big "Told You So"

[Johnny+Mnemonic]

I haven't seen the context of this exploit-discovery-and-release mentioned. Lest we all forget:

http://news.cnet.com/8301-30684_3-20006509-265.html

Google leaks that they're moving away from Windows, cause it's insecure and it's use got them hacked by the Chinese. Microsoft says "Bah! We're more secure than anyone, we rock!". So Google publicly demonstrates evidence to the contrary that proves their point, and makes Microsoft look bizarrely incompetent. Microsoft responds by accusing Google of having the audacity to call their bluff.

I would really like to know who this kind of doublethink hijinks work on. Doesn't Microsoft know that we form our own opinions based on information that we can get anywhere?

You forgot something

[DaveV1.0]

In this case, he did not provide the information to just the car owners. He provided it to everyone, including the car thieves along with detailed instructions on how to open and start the car.

That is why your little story fails.

Re:You forgot something

[Rogerborg]

Good point. He should just have emailed the disclosure to OnlyRealGenuineMicrosoftCustomers@microsoft.com

Re:You forgot something

[Just+Some+Guy]

Thieves already knew about the trick. They just didn't bother telling Ford or Ford owners about it.

Re:You forgot something

[DaveV1.0]

No, they didn't. No one knew about the trick until the discoverer told the world, including the thieves. Quit trying to change the facts.

Re:You forgot something

[Just+Some+Guy]

No, they didn't. No one knew about the trick until the discoverer told the world, including the thieves.

LOL. Do you actually believe that the world was safe from that vulnerability before Tavis published it?

sig

[daeglo]

RE your sig: http://store.apple.com/us/configure/MC438LL/A?mco=MTgxNTgzODA Looks like GNU and DNF need to get with the program.

Re:sig

[drsmithy]

That's not even close to a "Mac Mini Pro". Only a slow dual-core CPU, 8GB RAM max, no PCIe video card, no spare PCIe slot, slow 2.5" drives (and only a single one without sacrificing the optical drive).

What I want is basically half a Mac Pro - or the equivalent of a Dell Precision T1500 if you want something actually on the market. A single CPU socket, up to 16GB RAM, (upgradable) PCIe video card, two free PCIe slots (x4 and x1), two internal 3.5" drive bays and an optical drive.

And I want a base model - quad-core, 4GB RAM, 500GB HDD - that costs about $1300. If Dell can do it for a grand, Apple can do it for $1300 and still collect a reasonable Apple Tax.

Re:sig

[daeglo]

That wouldn't really fit in the Mini packaging. How about calling it a Mac Pro Mini? or perhaps the iCram?

Re:Conspiracies? Let us have some

[obarel]

Google has never been the target of a DDOS, where hundreds of thousands of infected computers are trying to cause real financial damage to it. I'm pretty sure they never will be, either. So why should they care? By not using Windows internally they are automatically protected against such attacks.

You bet it's bullshit

[Just+Some+Guy]

Windows XP is released in dozens of languages with support contracts for all of them

If the regression tests for the American English version of XP don't cover the Brazilian version of XP, then the system is hopelessly broken and the whole thing should be thrown away. Unless the bug involves some string handling function in the locale libraries, it shouldn't be harder to test 15,000 different language releases than it would be to test just one.

It's YOUR fault, not googles

[mcneely.mike]

For how long now, you've been told Windows is a car wreck waiting to happen, and when it happens, you cry "Woe is me".
Don't be so pathetic. Keep driving a car with no brakes, and sooner or later you'll wish you had stopped driving it.
I switched cars long ago and haven't looked in the rear view mirror since. (How's that for a car analogy?)

Re:The bad guys thank you Tavis.

[columbus]

This is some of the most level-headed commentary on this subject so far. Unfortunately, I don't have mod points.

Someone mod up the parent please.

Re:This is classic Tavis.

[arose]

So... We should only fix vulnerabilities when they are widely exploited?

Re:The bad guys thank you Tavis.

If this had been reported in open-source software, there wouldn't even be a fix, just a snarky e-mail (about as snarky as your post, actually) saying this was fixed four years ago and telling the user to upgrade. And woohoo, the latest (open-source) version is free! - when you don't count your time to do the upgrade.

Assertion as fact, ad hominem by way of a straw man, and a--foray into the economics of software development? Ah, just a tired jibe. Setting aside the sarcasm, your last statement is correct as written and the concept of quantifying time in terms of money is broadly applicable--enough so to almost be a vacuous truth. The implied argument of true cost, or TCO, does not seem to lend itself to exact proof, or even unqualified truths. Any certain statement is therefore doubtful, and more likely to be founded in personal belief than data. Given that most people here have a good understanding of complexity of the issues at hand, I would say that you come off less as an authority and more as an asshat.

In other words, enough with that line already, we've heard it for at least fifteen years. It's not convincing and doesn't promote any useful or interesting discussion. Promote Windows however you like, but realize when your tactics need improvement.

As to the rest of your post, it seems to have been well answered elsewhere. I like the sig, though.

Fairs fair

[philofaqs]

Sorry, but what, 3 working days for a fully regression tested fix? Perhaps MS should release an update that " accidentally" breaks google, chrome, firefox, open office, opera and all after five days then say sorry but we we forced to release an untested patch. Google should get rid of this bloke, he's good at finding things but really this is dreadful behaviour. Do you really think your OS of choice could get a fully tested fix out in the time frame MS was given here. Not some basement dweller who says this is the fix, without realising it breaks some major apps. Look at the howls when MS or Apple release an update and someone's (usually malware infected) machine breaks.

HTML for documentation? Sure. (with caveats)

[reiisi]

HTML beyond really basic stuff is hard to parse. (That's why it took so long to make near-wysiwig editors for it. Our processor/memory specs are just now getting into the ballpark.)

I mean, really hard to parse.

In case I have to spell things out,

R-E-C-U-R-S-I-O-N

for starters. Oh, and

unspecified O-B-J-E-C-T-s. Extensibility.

And, things-that-are-hard-to-parse-are-easy-to-hide-things-that-aren't-supposed-to-be-there-in.

HTML isn't really a bad idea for help documents, but where do you put the walls? Where did Microsoft fail to put the walls?

Shoehorn, whatever, Microsoft was too busy pushing features to take the market over with to build their product responsibly, and they still are.

Eyes closed is safe?

[reiisi]

NYah Nyah, I can't see you, you can't hurt me!

Yeah, release 'em all at once.

[reiisi]

More information to work from.

More flaky interactions to exploit.

Predictability is no substitute for security. It's not even halfway there.

break stuff?

[reiisi]

It was already broken.

Avoiding disproving points in my init. post?

"Oh, I see. Anyone who disagrees with you is either a malware maker, a webmaster that relies on annoying ads, or a fool." - by Kalriath (849904) on Wednesday June 16, @07:48PM (#32596988)

VERY GOOD: He can read, AND understand what I wrote... that about takes care of the others around here who complain about my "writing style" etc., quite neatly (thank you actually).

---

"And you're accusing me of ad hominem attacks. That's rich." - by Kalriath (849904) on Wednesday June 16, @07:48PM (#32596988)

Absolutely, and there's little doubt of your b.s. off topic reply here that you are indeed, attempting to "put me down" etc., but again, that'd mean YOU are avoiding attacking the points I put up, & instead you attack me with your crap.

(Who do you think you are fooling, other than possibly yourself?)

---

"Anyway, you're using hosts files for something they're completely unsuited for" - by Kalriath (849904) on Wednesday June 16, @07:48PM (#32596988)

WTF? You had better read my replies here, and then disprove every point about HOSTS I made (and that others I cited did as well then)... go for it!

Folks like Mr. Oliver Day of SECURITYFOCUS.COM (a division of Symantec iirc no less) even state he goes faster & that he uses a HOSTS file to block out known bad sites &/or servers + ad banners etc. as I do... because it works, and makes you not only safer online, but also faster.

This is a "bad thing"? I know not. So did many others I noted also... your b.s. here? Quite pitiful actually!

(You "talk a lot" but, when it comes down to when the chips are on the table? Your mouth writes checks "the likes of you", cannot ca$h... prove me wrong - disprove my points to others here on HOSTS then, without a shadow of a doubt (you can't, & you KNOW it, as you've tried before & failed badly!)

---

"and you're arguing in favour of violating the TCP/IP spec to suit your incompatible use case." - by Kalriath (849904) on Wednesday June 16, @07:48PM (#32596988)

LOL, tell that to the others I used in quotes in my initial post here then... & do disprove what I wrote in it. Good luck, YOU'LL NEED IT!

("violating the TCP/IP spec"? Are you illiterate?? MS put in the 0 vs. 0.0.0.0 or even 127.0.0.1, fool, not I... & guess what? It's FASTER & even MS' own mgt. agreed on that much, as would anyone who codes in fact (& what I actually respect about Foredecker? He's got his CSC degree @ least... many mgt. figures in this trade, do not!)).

On the note of CSC, or CIS/MIS degrees: DO YOU POSSESS THAT TO YOUR CREDIT? I do...

---

"I'm unsurprised that Microsoft ignored you, and frankly were I in their place I'd do the same." - by Kalriath (849904) on Wednesday June 16, @07:48PM (#32596988)

First of all, you obviously ARE illiterate: Foredecker & I had a long ongoing email conversation about this, & he initially tried to "cut me down" on his blogs, but when I pursued that further here? He did concede I have a point on HOSTS files & what I noted above about them!

APK

P.S.=> Learn to read, or @ least "boost" your reading comprehension, you clearly off topic TROLL! apk

Re:Avoiding disproving points in my init. post?

[Kalriath]

You know what? Screw it. You'll just sit there insulting anyone who disagrees with you because clearly if someone doesn't agree with your bullshit, they're evil.

Go fuck yourself, APK.

Re:Avoiding disproving points in my init. post?

All you did was avoid disproving the very same points he wrote that silenced the Master as it has you also. Poor showing on your part.

Re:Avoiding disproving points in my init. post?

[Kalriath]

Out of sheer boredom, I decided to reply to your points, since they're all very easy to do so. Fucked if I know where though, I'm sure it's around somewhere.

Oh shit, you're pretending not to be APK. Sorry about that... you didn't need that cover did you?

where all their customers "were"

[vaporland]

Software gets developed for paying customers. I work for a web development company. When the client is waiting and there's money to be made, no effort is spared. Once the app is launched, there's no incentive to update anything, even if its broke - everyone's already started working on the next paying job.

XP is elderly. Vista just plain sucked. Win7 is where the money is - MS's attitude is that if an older product is giving you fits, don't patch it, punt it, and buy something shiny new...

(note that I don't necessarily agree with this approach, it's just 21st century "business ethics")

Re:don't forget comments with smug self-superiorit

[thenextstevejobs]

i found it self deprecating

Re:The bad guys thank you Tavis.

You're not taking the analogy far enough.
Full disclosure is like telling people that guns exist. Sure, some people would decide to use them to shoot others, but everyone else would know to look out for guns and perhaps invest in a bulletproof vest.

Knowing that guns are out there gives you an advantage.

Re:The bad guys thank you Tavis.

[soppsa]

Mod this fellow up, he is indeed quite correct.

Disprove the points in this URL, pretty simple

See subject, & this URL:

http://it.slashdot.org/comments.pl?sid=1687452&cid=32589278

"You know what? Screw it. You'll just sit there insulting anyone who disagrees with you because clearly if someone doesn't agree with your bullshit, they're evil." - by Kalriath (849904)on Thursday June 17, @06:13PM (#32607514)

The URL's above's the one you keep avoiding, so I posted it here above, for your reference in disproving the points noted in it in favor of HOSTS files usage... since you keep avoiding doing that & instead you try to attack myself here (and anyone can see your first post in this exchange in reference to that, so don't try to play "innocent" here).

(That should be "pretty simple" for the likes of yourself to do, right? I mean, what with all your profanities & ad hominem attacks you directed my way here right off the bat in your first reply (where you attacked myself, rather than my points noted in the URL above)).

---

"Go fuck yourself, APK." - by Kalriath (849904)on Thursday June 17, @06:13PM (#32607514)

No thank you.

APK

P.S.=> Good luck, you'll NEED it (and all your b.s. & profanities + ad hominem attacks here on myself rather than the points I bring up vs. your & "Your Master"'s profanities and other crap aren't going to be of much help either)... apk

Re:Disprove the points in this URL, pretty simple

[Kalriath]

A lot of points in your linked post are completely irrelevant. "A large file reads slower than a smaller one". Holy crap, REALLY?!? I also note that your testimonial is from a user who says they "no longer get 100-200 viruses a month, now lucky to get 1-2 viruses". Seriously, if you even get 1 virus a month, you're an idiot that shouldn't even own a computer. I see you also claim a hosts file consumes no CPU. This is simply not true. Parsing the damn thing on every DNS resolution does indeed consume CPU resources (amazingly enough!) And I see that every time he brought up the fact that using "0" as an IP address is a violation of the IPv4 standard, all you can say is essentially "but", and then accuse him of being a malware writer, because he advocates following standards - which any developer should be advocating. Personally, I feel standards should always be followed as well. Look at the last time someone ignored them - it got us 10 years of Internet Explorer 6.

Just so that you have nothing to fuel your ad hominem attacks, I've deliberately avoided insulting you in this post. I've even reduced the profanities to make it more difficult for you. Woohoo! Go hard!

Re:Damning of Ormandy? - Totally OT now

[ratboy666]

For your amusement --

I didn't understand either, so I posted a reply to my own post, going into the argument in more depth. The first post ends up with -1 Troll, and the reply with +5 Informative (beginning with Karma boost +1). Here is the moderation history of those two posts:

Comment Moderation
sent by Slashdot Message System on Thursday June 17, @12:05AM
Damning of Ormandy?, posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Overrated (-1).
It is currently scored Normal (0).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Insightful (+1).
It is currently scored Insightful (2).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Interesting (+1).
It is currently scored Interesting (3).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Informative (+1).
It is currently scored Informative (4).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Insightful (+1).
It is currently scored Insightful (5).
Damning of Ormandy?, posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Underrated (+1).
It is currently scored Normal (1).
Damning of Ormandy?, posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Troll (-1).
It is currently scored Troll (0).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Overrated (-1).
It is currently scored Insightful (4).

Now, I will tend to believe that final "Overrated" comment -- the argument is obvious and really not that "Insightful", but, the WEIRD is the first comment was moderated "Overrated" immediately, and it hadn't been rated yet.
+2, Overrated, Underrated, Troll. Now, "Troll" is good for eliminating a post, because that causes a lot of readers to assign a -1 penalty. So, this comment apparently struck a nerve with several people, and I have no clue why. Like I said in my "self-reply", I don't get it. I wouldn't change the post, even if I knew why -- I believe in the argument. I just want some insight into the thinking that went into those moderations.

Still, I actually think the /. moderation system is a "good thing" (tm). But maybe something like a "Spend some Karma to send a message to the moderator" feature might be nice. I don't want to KNOW who the moderator is, but being able to engage a dialog "off-side" (send a message to the moderator, without knowing who it is, being able to engage an email exchange) may be nice. Maybe it should cost some Karma points (2,3,5?) to do so?

I've been mulling this over the past day.

Re:Damning of Ormandy? - Totally OT now

[QuietObserver]

I did note the initial state of your self reply, but I still couldn't comprehend the justification concerning your original post. At least the Mods didn't penalize me for calling them out (particularly considering my relatively high UID). I do agree with your opinion on the moderation system; I was merely objecting to the abuse of the system, not that many mods will likely see it, considering the lateness of my reply. Even if my post is little read, hopefully it affects the few who actually do read it to be more careful. Fortunately, I did not immediately dismiss your thoughts just because they had been unfairly criticized. And thanks for the history of the moderation.

Re:Damning of Ormandy? - Totally OT now

[QuietObserver]

Minor correction; the state of your self reply was +5 when I replied. I'm not sure why I wrote initial in place of that.

Avoiding disproving my points? More evasions??

"Out of sheer boredom, I decided to reply to your points, since they're all very easy to do so. Fucked if I know where though, I'm sure it's around somewhere." - by Kalriath (849904)on Sunday June 20, @04:30AM (#32630652)

First of all: "Ahem" (clears throat -> ) "bullshit"...

Secondly: Well - Where is this disproval of my points in response to yourself & "Your Master" here, then?

You are full of it, and you can't even produce results, much less results that are VALID & completely disprove my points to yourself, and "Your Master", here -> http://it.slashdot.org/comments.pl?sid=1687452&cid=32589278 !

(That's the post you were asked to reply to, and to disprove it's points completely & without a DOUBT... but then, as per usual? You avoided doing that too!)

APK

P.S.=>

"Oh shit, you're pretending not to be APK. Sorry about that... you didn't need that cover did you?" - by Kalriath (849904)on Sunday June 20, @04:30AM (#32630652)

Oh, I'm not pretending to be me here... I am myself. However, as you keep evading disproving my points in reply to yourself & "Your Master" here in the URL above (& doing so on your part, beyond a shadow of a doubt too, no less)... well, that's only FURTHER showing others here the off topic & technically challenged TROLL YOU CLEARLY ARE... apk

Kalriath "shot down in flames..."

"A lot of points in your linked post are completely irrelevant. "A large file reads slower than a smaller one". Holy crap, REALLY?!?" - by Kalriath (849904)on Sunday June 20, @04:27AM (#32630644)

Yes, really... & yes, the manager from Microsoft's Windows Client Performance Division (Foredecker, he posts here no less) agreed WITH MYSELF, that yes - That is the case also, and YOU LOSE in having to admit that alone, just as Foredecker did...

You can't disprove that, so you're left with sarcasm at most/best (which is far from disproving that fact you now seemingly, albeit sarcastically on your part, must admit I am correct on (without question)).

Using the smaller, faster, & more efficient 0 blocking address in a HOSTS file results in a smaller, faster, & more efficiently loaded & read/reloaded & re-read HOSTS file, period (vs. using 0.0.0.0, or worse yet, 127.0.0.1 as a blocking IP address in HOSTS files).

---

"I also note that your testimonial is from a user who says they "no longer get 100-200 viruses a month, now lucky to get 1-2 viruses". Seriously, if you even get 1 virus a month, you're an idiot that shouldn't even own a computer." - by Kalriath (849904)on Sunday June 20, @04:27AM (#32630644)

You're assuming everyone on this planet is a "PC Expert", first of all... newsflash/NEW NEWS: They're not. Secondly?

HE IS A PARTICULARLY INTERESTING CASE, & HIS INFESTATION RATE WAS WHY I CHOSE HE AS A TESTER OF A CUSTOM HOSTS FILE: (perfect test case, wouldn't you say, from his former 200++ virus' a month, down to MAYBE 1 every so many months (I have seen 2 actuals in around a year's time on his reports from Spybot & that's it, & we removed them using Process Explorer, and he downloaded them himself only to find they were malwares)):

King's Joker is running Windows 2000, oem release original build mind you, AND, no service packs OR hotfixes, olus no antivirus or antispyware programs running resident either...

His results are great only using PART OF MY SECURITY GUIDE TOO (not implemented in full on his part & with reasons, to test a HOSTS file alone, not the entire gamut of my security guide's layered security methods which entails FAR MORE))?

That's been the case for him for over 2 yrs. now iirc at this point in his testing this & reporting his results as he has, in using a custom hosts file only as a protection method online (& some of the "virus" he has gotten? I have seen the spybot search & destroy reports he ran at month's end a couple times, & they're not even real malwares: More warnings on registry configurations & such)).

Still, his post?

His results are especially exemplary of how a system benefits greatly in both speed & security, & from a custom HOSTS file... in speed, AND security, from 1 single file only that everyone has already, that's free!

---

"I see you also claim a hosts file consumes no CPU. This is simply not true. Parsing the damn thing on every DNS resolution does indeed consume CPU resources (amazingly enough!)" - by Kalriath (849904)on Sunday June 20, @04:27AM (#32630644)

On the first load @ the first app that calls out to the internet, yes. Once that occurs, either the DNS Client Cache OR the local disk cache CACHES said file into memory & that's it... that's not the work, or possible security or other types of bugs that can happen in other programs/bad site blocking methods (and they do have errors, in their being programs vs. a file (which HOSTS is only that, a filtering file), see DNS servers for example, & Dan Kaminsky's findings there).

---

"And I see that every time he brought up the fact that using "0" as an IP address is a violation of the IPv4 standard" - by Kalriath (849904)on Sunday June 20, @04:27AM (#32630644)

One that MS used in Windows 2000 in a service pack (

Some "salt on the cut", needs doing... apk

"Of course, larger files take longer to load." - by Foredecker (161844) * on Wednesday December 09, @10:34PM (#30384666) Homepage

http://slashdot.org/comments.pl?sid=1467692&cid=30384918

Which was the main point I made here, & that HOSTS files using 0 are smaller + faster & more efficient than 0.0.0.0 or 127.0.0.1 (especially the latter), so why has Microsoft removed a more efficient IP blocking address in HOSTS files in Windows 7, Windows VISTA, & Windows Server 2008 then?

At least give us a reason, & it had better be a more efficient & smarter standard... because @ least Windows 2000, Windows XP, & Windows Server 2003 can still use 0 as a more efficient smarter method in a HOSTS file.

APK

P.S.=> Funniest part is, Windows 2000 didn't have it in its OEM release to manufacture & the public, it was put in later in a service pack circa 2000 I'd guess, & it stayed that in 2000/XP/Server 2003 & even VISTA, way up until 12/09/2008 when VISTA onwards could no longer use 0 as a faster, smaller, & more efficient "doing more with less/less is more" method for blocking KNOWN BAD SITES &/or SERVERS in a custom HOSTS file (& it's looking like INTENTIONAL promotion of BLOAT to me @ this time, because they've known about this from myself for longer than 1 yr. now (fairly soon @ least))... apk

Someone from Microsoft agrees w/ you... apk

"Of course, larger files take longer to load." - by Foredecker (161844) * on Wednesday December 09, @10:34PM (#30384666) Homepage

http://slashdot.org/comments.pl?sid=1467692&cid=30384918

That's the manager of the Microsoft corporations "Windows Performance Client Division" stating that, when he also initially tried to 'cut me down' on my points... & in the end? You see, what you see above.

Which was the main point I made here, & that HOSTS files using 0 are smaller + faster & more efficient than 0.0.0.0 or 127.0.0.1 (especially the latter), so why has Microsoft removed a more efficient IP blocking address in HOSTS files in Windows 7, Windows VISTA, & Windows Server 2008 then?

At least give us a reason, & it had better be a more efficient & smarter standard... because @ least Windows 2000, Windows XP, & Windows Server 2003 can still use 0 as a more efficient smarter method in a HOSTS file.

APK

P.S.=> Funniest part is, Windows 2000 didn't have it in its OEM release to manufacture & the public, it was put in later in a service pack circa 2000 I'd guess, & it stayed that in 2000/XP/Server 2003 & even VISTA, way up until 12/09/2008 when VISTA onwards could no longer use 0 as a faster, smaller, & more efficient "doing more with less/less is more" method for blocking KNOWN BAD SITES &/or SERVERS in a custom HOSTS file (& it's looking like INTENTIONAL promotion of BLOAT to me @ this time, because they've known about this from myself for longer than 1 yr. now (fairly soon @ least))... apk