Slashdot Mirror
Miscreants Exploit Google-Outed Windows XP Zero-Day
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.
Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit. I don't think anybody really believes that he'd report it then release it in that kind of a time span if there wasn't more going on than just that. 60 days is more than enough time for MS to release a proper fix, but the reality is that MS does sit on bug fixes because they can't or won't spend the time to take it seriously.
Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.
You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'
As far as pushing this to users automatically, people get angry when you break shit without asking them.
Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.
So you can disable that service and be at east that nothing is going to happen to you or your users.
So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS
This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.
Had he kept his mouth shut, your systems would be safer.
No, they would seem safer, but be less safe.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
That's not at all what happened. What happened was:
Tavis: "I found a critical flaw, will you fix it in 60 days?"
Microsoft: "Hmm, we'll take a look and get back to you with a timetable on Friday"
Tavis: "Not good enough". Released to the wild.
Cite: TFA.
Cite: TFA.
Except you're lying. TFA, which I've actually read, has only this to say :
"I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();