Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

Re:Dear Microsoft

[DavidRawling]

And may I ask, how many people does your multi-billion dollar corporation have sitting around to run full regression tests on the 400 applications you run in house? And how long do regression tests take (simply put, sometimes it's more than a day).

So 300 people in the fictitious org are continually testing and retesting the same apps, day in and day out (because even an automated test tool takes time to set up, monitor and interpret, assuming it's even AVAILABLE for Application X). And some of them don't even finish a test cycle before there is a new patch and everyone starts over again.

In the worst case scenario, the organisation can never patch up to date.

On the flip side, what if a bad patch is released (e.g. one that causes a normal system to blue-screen)? MS has 100 million home users who auto install patches; so now 10M or more are broken. Alternatively, as currently, the early adopters test before patch Tuesday and by the day of release, there's at least SOME confidence in the patches.

Actually I've got an idea. What Linux or BSD distro are you running? Do you update sources to the bleeding edge every night and rebuild the system from sources? Do you just assume everything will work? If you do, you already know stuff breaks. If you don't, STFU and stop blaming the cautious among us.

Re:Dear Microsoft

saying they will get back at the end of the week with a timetable is now considered unreasonable??? fuck me that is insane even for a truly anti MS bigot. No where in the article does it show any unreasonableness from MS, only from Tavis, sounds like he is little more an an iresponible fuck that was trying to make MS look bad (they hardly need help with that), but the only person that truly looks bad here is him. There is no situation where releasing the vulnerability with code within a week can be considered reasonable or responsible. It would not suprise me if google quietly exited this guy out the door as I truly doubt they would condone such a response.

don't forget comments with smug self-superiority

[circletimessquare]

like yours, for example

This argument is stupid

[deathtopaulw]

This is Windows XP. It is a piece of abstract digital art depicting the life of a block of swiss cheese. "Responsibility" about security holes has nothing to do with this. There are probably 500 other known ways for someone to hijack your shitty ancient pc. Shut up.