Slashdot Mirror
Miscreants Exploit Google-Outed Windows XP Zero-Day
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.
Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.
All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.
How we know is more important than what we know.
This is a question that should really be asked of Microsoft
Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.
He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?
If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?
The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.
-- these are only opinions and they might not be mine.
Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.
Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.
BUYER be Aware. Is that enough said? Oh well it will make some more time for the MS admins out there. I wonder if they don't just leave this crap out there to continue to support their partners? I have over ten years on Linux as mostly a home user. I guess it is a case of "Stupid is as Stupid does". Peace Yall.
Just a heads up! Your post is self contradictory.
"Full disclosure is the only truly ethical approach to take to protect the consumer," I hear you say. It would seem that full disclosure, in this case, did *not* protect the consumer.
Microsoft may deserve whatever you think it does. The ones most affected are the users, however. And despite how much I hate the average person, they *don't* deserve whatever you think Microsoft does.
There are positives and negatives for full disclosure and non-disclosure. As with anything in life, I like to think that extremes of anything are a bad way to go about things.
Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.
You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.
Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.
Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.
Begging the question: was it Slashdot?
No, it was a site dedicated to open source software, not poorly edited sensationalistic articles and tired jokes.
... and then they built the supercollider.
The question is not whether the exploit had been used prior to disclosure. The question is, on what scale has it been used before it, and how wider is that scale now due to disclosure?
Or, simply put, how did the chance of being affected by this increase or decrease for an average user? If it increased significantly, then clearly this "hurts the consumers".
It only seems contradictory for people who don't understand the meaning and implication of true full disclosure. Everyone else understands how security through obscurity rips of the consumers and transparency is the only thing that allows users to have the information they need to make optimal decisions about what software to buy.
Google could probably release an exploit like this every day if they wanted to - or ten of them. They index the Internet, and that includes the nasty corners where such things are as common as rude pictures on 4chan. Why should they care? They don't use Windows internally any more.
Help stamp out iliturcy.
I'm not sure the analogy is a good one.
This isn't cars (sorry), but this is how I see it: if your city tap water was discovered to have a high amount of lead in it in the latest round of tests, what would you do? Tell everyone "Hey, there's probably lead in your water, you should make sure you filter it or use bottled water for the next week until we get our filtration systems fixed." or do you wait a month and test the systems again and see if there is still lead before issuing a statement?
The only people that get hurt by the early information are ones that aren't paying attention to the big orange fliers left in the mailbox (or ones that simply don't care). But potentially lots of people can get hurt if you tell no one. I think I would opt for early information. Maybe people would have to scramble a bit at first, but they'll get over it, I'm tired of our society putting off problems until further down the road when it becomes the 800 lb gorilla, with bigger consequences and now impossible to ignore.
And I really don't understand why, I'll quote the article
"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."
So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?
Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).
Just another "Cubible(sic) Joe" 2 17 3061
I've just found a way of easily opening and starting your Ford using common household tools.
I'd love to tell you how it's done so that you can take measures to protect yourself, but you know, it would be irresponsible of me to give you that information.
No, the responsible thing to do is to let Ford know, secretly, and give them as much time as they need to investigate it and issue a recall to fix the problem. If they feel like admitting to it. And if they don't, I'll keep quiet indefinitely, just in case I'm the only person in the world who can figure it out, ever.
If your Ford gets being stolen in the meantime because someone else figured it out, or already knew, then that's just an acceptable consequence of my responsibility, which is apparently to Ford, the company that created the problem in the first place and profited by selling a defective product, not to you, Ford's customer, the victim.
Fair enough?
If you were blocking sigs, you wouldn't have to read this.
Because he told Microsoft privately about it, and Microsoft refused to even discuss when they'd be fixing it.
According to TFA, Microsoft told him on 6/7 that by the end of the week they would have a release schedule worked out.
So this guy then releases the exploit on 6/9, 2 days later, only half way through the week.
I think that Ormandy is living a myopic life. Two days for him is like an eternity, so he holds everyone else to his warped view of time. The release of the exploit wont effect his systems, so he thinks that nobody else will be harmed by his actions. His system doesnt require the help center protocol to be functioning, so nobodies system must require it to be running.
During the last article on this on slashdot, many people decried that Ormandy was acting alone, that Google therefore wasn't responsible for his actions here. But in this round of shlashdot comments you see many people decry that Google's reporting procedures trump Microsofts.
I think its bizarre that people will twist their logic up so much just to support their preconceived notions. Very few have taken the stance that Microsoft puts out shitty software AND Ormandy is a little shit that deserves a public stoning. You clearly think that he doesn't, and you are wrong.
Bystanders are going to suffer this month only because both "Microsoft puts out shitty software", and "Ormandy was irresponsible and helped every malware author" is true.
"His name was James Damore."
Let me explain something to all of you “network admins” who still work out of mom and dad’s house. In the real world 5 days isn’t that long, even for only an initial response. I routinely wait two weeks just to get technical callbacks from companies I want to spend money with. I know it’s not as instantly gratifying as your last FRAG but that is the way things work in the real world (not MTV).
I don’t like the role of Microsoft apologist; and I think Microsoft has some answering to do sense hints of this type of problem have been circulating for a quite while now. However I don’t think most of you even have a clue to the scale and sophistication of the Microsoft security effort. Here is a summary I got from a Microsoft engineer a few years ago.
First they have to reproduce the issue. Then Microsoft contracts 3rd party independent security professionals to rank the significance of each vulnerability. After that they have to debug and code review the existing code to determine if it is vulnerable to more than the original disclosure. Then they need to determine if the problem is a simple buffer overflow or a design problem. If it is a design problem they need to consult with the OS and applications divisions. Then they need to code the fix. After they have a fix they regression test it; not only against their 6 current operating systems and every supported service pack; but against their own huge software library and a massive collection of 3rd party software. That’s right Microsoft tests their updates against 3rd party software to make sure their update does not break your games so you can continue to FRAG your friends. They are not always successful; especially when Google jerks force pre-mature updates but at least they try. Assuming that everything works correctly the first time around; and anyone who has written more than a few line of code knows that that NEVER happens, you have a brand spanking new security update 30 to 90 days later.
I don’t know how complete this is; and from my experience I suspect Microsoft skips some of the steps for certain types of patches but the point is that the processes of re-writing the vulnerable code is actually the quickest and possibly easiest step in the release process.
Think about the MacAfee blunder a few months ago and the millions of dollars companies needed to spend to fix it, and that was just due to a single poorly tested signature update. Last time I remember Microsoft doing something like that was 9 or 10 years ago when they crashed everyone’s exchange server with an OS update.
I’m sure many of you are great coders but that doesn’t give you insight into the world of enterprise development where one mistake can effect 60% of the world’s computers.