Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

Dear Microsoft

[QuantumG]

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

Re:Dear Microsoft

[Entrope]

Microsoft's negligent, lazy approach to closing security holes bit Google hard. Google is now letting Microsoft feel some of the pain. I hope that responsible journalists won't judge full disclosure solely by vendor-dictated rules -- when a software vendor has a history of problems, the spotlight should be on them, not on the people who report them.

Re:Dear Microsoft

[hedwards]

Whether it's their idea or not, it's a horrible idea. Patches should be released as soon as they're finish, as in finished and received reasonable review. Holding back patches for known flaws is ultimately irresponsible behavior. If a corporation doesn't want to do so constantly, then so be it, give them a tool to do it in that fashion. But as is it's terribly irresponsible.

Given the prevalence of bots in corporate networks, perhaps they shouldn't be given that kind of pull over the security of everybody else.

Re:Dear Microsoft

[ArbitraryDescriptor]

Whether it's their idea or not, it's a horrible idea

But at the end of the day, if the customers ask for it, you give it to them.

But like he said, just give them a tool that ques up the patches. Allow them to set an update policy that holds off until X day, or bi-weekly, etc. Meanwhile, push patches to the home users as they come. They don't have an IT department to inform and protect them, holding back grandma's critical updates likely does more harm than good.

Re:Dear Microsoft

[westlake]

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Easy to say.

But Win XP has a global market share of 63%. Something like 500 million users - at all skill levels.

What happens to them when you disable part of the help system?

Re:Dear Microsoft

[cbiltcliffe]

But that's their choice.
If everybody else wants to be secure, they can be, and to hell with the whiney "we can't do this more than once a month, because we're incompetent" corporations. Those corporations can queue updates themselves, if they want. Everything released in the last month gets tested.

Everybody else should have the option of installing the updates as soon as they're finished.

But, as usual, the security-idiot blowhards get to dictate policy for the rest of the world.

Re:Dear Microsoft

[williamhb]

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

If so, that is pretty damning of Ormandy -- that he thought 60 days was an appropriate timeframe for a fix, and even thinking it was reasonable for a fix to take that long decided to publicise it after only 5 days. Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.

Re:Dear Microsoft

[recoiledsnake]

The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately. Hence it's better to release the patch es as a bundle on a single day.

Re:Dear Microsoft

[BitZtream]

Oh, that makes it okay then!

This kind of behavior is childish at best, but in my opinion borders on criminal.

This bullshit 'oh their security sucks and they are slow' crap is just a battle cry of the ignorant.

Patches need to be thought out, tested and deployed safely.

I realize you probably don't understand what its like to manage a network of computers that actually has to work reliably rather than be running the latest bleeding edge, just released 20 minutes ago software.

If they 'fix the bug' and break mission critical apps for enough people its effectively worse than being exploited in many cases.

As the GP post stated, this is more like Google lashing out at MS, which again, is childish and indicates a company that I don't really want to do business with.

There really is no good reason for public disclosure before an exploit is fixed, saying your doing it to force their hand is just a different way of saying 'I want to attention for making them look bad'. It really doesn't impress anyone outside of slashdot and the like.

Re:Dear Microsoft

[LinuxAndLube]

When done correctly you are 100% guaranteed that the program does exactly what it is supposed to do, nothing more, nothing less. Every bounds is checked, every possible input is tested, every loop, every condition.

You're being sarcastic, no? Even if the input consists of nothing more that a couple of integers, you cannot test all possible combinations. Besides, even if you had unlimited resources, you cannot get around the halting problem.

Re:Dear Microsoft

[dhavleak]

I think you're oversimplifying.
.

On getting notified of the issue, MS would have to make an assessment -- how many systems have the feature, how often is this feature used, how complicated would it be to develop an exploit, is there currently an exploit in the wild, what is the result of the exploit (data loss, denial of service, admin access, etc.), are there any mitigating factors, how much time would it take to develop a fix, how much time would it take to test the fix, etc. Rolling back a second -- they first have to route the issue to the right people for making these evaluations. This would hold true for each and every single security issue that gets reported to them, or that they find themselves.
.

Now consider that Ormandy's issue is not the first, last, or only security issue ever reported to them, or the only one they are currently working on. In fact, out of all the current issues they are working on, there might have been others with easier exploits or exploits already out in the wild, or affecting a larger number of people, or with worse implications. This is a big deal for sure -- but it's actually reasonable to believe that this wasn't the single most important, drop-everything-now, priority zero, severity zero security issue on MS's plate right now.
.

That being the case, Ormandy should have gone through the 'system'. If, after 60 days if he didn't get a response he liked and then forced MS's hand, he would have had some semblance of a point. The way he acted, I can only conclude that he wanted his 15 minutes of fame, and he doesn't give two hoots about the people affected by his irresponsible behavior.

Re:Dear Microsoft

[PsychoSlashDot]

Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"

Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.

So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.

That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready. That's blackmail. Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.

"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."

If he had done that, there'd be no complaint.

Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?

When and if my customers' PCs get owned by this, I will blame the exploit discoverer. The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days. Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.

Re:Dear Microsoft

[claar]

Back in 'Computer Science 101' we spent a lot of time doing 'internal testing' and 'external testing' of our programs. When done correctly you are 100% guaranteed that the program does exactly what it is supposed to do

Wow... just... wow. I take it you're now in upper-level management? Yes, for *very* small programs, that do *very* little, this is feasible. But when you get to real programs of real world size, this is simply not done (unless you work for NASA).

You came close to hitting the nail on the head with "just don't care enough to allocate the time" -- since I sincerely doubt their customers would care to pay $50,000+ per copy of Windows, and sacrifice the performance, features, and decade(s)-long delays that would be required to accomplish this.

Re:Dear Microsoft

[rtfa-troll]

That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready.

You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.

In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop being vulnerable whilst keeping the rest of their computer functional. Not distributing the information quickly would be irresponsible

That's blackmail.

And that's hyperbole. He is demanding nothing for his own profit.

Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.

"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."

If he had done that, there'd be no complaint.

60 days was a reasonable maximum IFF he knew that Microsoft was willing to work hard on the problem. They failed to convince him. Next time they should try harder.

Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?

We have a contract in place. MS should be fixing flaws like this in our systems no matter who reports them to them.

When and if my customers' PCs get owned by this, I will blame the exploit discoverer.

It's always nice to blame someone else for your own faults. In this case, you know how to disable the function whilst leaving everything else running. If the PCs get owned you are to blame.

The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days.

How do you know it was unknown? There are lots of unexplained break ins to systems. Maybe this has been used almost since the beginning? By withholding the data, he's even putting himself at risk of being silenced by either legal or physical means. It's funny the way you feel the right to demand that he does that to save you a few minutes work.

Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.

You'd maybe be better off. Others would have vulnerabilities they didn't know about not being fixed.

Re:Dear Microsoft

[Monchanger]

That's blackmail.

I do not think that word means what you think it means. He didn't threaten them to achieve gain, his endgame action was of showing his hand , so he's actually gotten rid of his leverage. How exactly do you figure that was an act of blackmail?

When and if my customers' PCs get owned by this, I will blame the exploit discoverer.

This is where your bias and lack of reasoning becomes obvious. The responsibility is always on the one who develops the exploit, or the ones who take advantage of the exploit. Now that you know what to do, if you feel responsible for your customers help them secure their systems, don't sit on your ass blaming other people for your inaction. Everyone here is very sorry you can't be lazy and just wait for Tuesday to "secure" your systems for you.

Researchers are not responsible for the action or lack of action of others and misuse of their research. As is often the case, this researcher's actions were intended for the benefit of the public by bringing to light a vulnerability. Microsoft may not like the fact that their product has been found to once again be insecure, but that's their fault. You Google-haters make it sound like he developed and sold a rootkit. That wasn't Google, that was Sony.

If he'd shut his mouth for a reasonable period of time we'd all be better off.

The problem exactly is the question of what is "reasonable." He thought 60 days was plenty, Microsoft was wishy-washy and noncommittal on even that lengthy timescale. You bring to mind that old saying: "The only thing necessary for evil to prevail is for good men to remain silent." I'm not sure letting Microsoft get away with negligence is appropriate, just as we're not allowing BP to do the same.

Re:Dear Microsoft

[mcgrew]

The exploit had remained unknown for nine years

How do we know some black hat didn't discover it eight years ago and kept it to himself and used it for his own gain?

Re:Dear Microsoft

[AK+Marc]

If their response is "I don't care about you" then explain why the other person should care about them. From your response, since Microsoft doesn't care about him at all, then he erred by giving Microsoft advanced notification. He should have just released it to the public on the first day.

Microsoft: are you pleased with yourself?

[mrsam]

This is a question that should really be asked of Microsoft

Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.

He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?

If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?

Re:This is classic Tavis.

[Sir_Lewk]

The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.

Yeah...

[Greyfox]

Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.

NOT zero day attack.

[slashkitty]

This is a 5 day attack. MS had 5 days warning... and maybe a few more before others were exploiting it.

Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.

Ormandy did excercise responsible disclosure

[Todd+Knarr]

Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

Re:Ormandy did excercise responsible disclosure

[Todd+Knarr]

Yes, Microsoft's rules for "responsible disclosure" are undoubtably "Don't mention this to anybody. Ideally including us. Just shut up and ignore the problem.". But that's not the definition of responsible disclosure the rest of us use, and Microsoft isn't the one who sets the rules for the rest of us. Unless Microsoft can pull out a signed contract where Ormandy agreed to abide by their rules, and I doubt they can.

Re:The bad guys thank you Tavis.

[sohp]

Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.

MicroSilly

[defective_warthog]

BUYER be Aware. Is that enough said? Oh well it will make some more time for the MS admins out there. I wonder if they don't just leave this crap out there to continue to support their partners? I have over ten years on Linux as mostly a home user. I guess it is a case of "Stupid is as Stupid does". Peace Yall.

Bullshit

Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.

Re:Bullshit

[poetmatt]

its still not a zero day exploit, and if MS felt it was critical they could have devoted teams to take care of it. MS of all companies certainly doesn't have an absence of programming talent.

So far, they sure are silent, aren't they.

Re:Bullshit

[Anpheus]

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

Even Red Hat won't release a patch in 5 days without regression testing all the affected builds. Not only that, but he decided that during the weekend before patch Tuesday.

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Re:Bullshit

[logjon]

It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.

Re:Bullshit

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Yes. Yes there is. Remember, this is Microsoft. If they actually cared, they could release a patch in hours, not days. But it isn't that high of a priority. With FOSS Software, it is often a part time project. But time is still made to fix bugs. On the other hand, Microsoft has definitely has the resources to deal with this. Normally however, they don't need to. Microsoft will just sit on bugs because it doesn't become their top priority as soon as it is verified, like such a bug should. Once on the general Web though, it does. I, for one, support full and immediate disclosure for this reason. Remember, just because Ormandy was the first to publish the vulnerability, doesn't mean he was the first to discover it, TYVM.

One other reminder from a helpful coward; Security through Obscurity, is no security at all.

A.C.

Re:Bullshit

[victorhooi]

heya,

Gosh, I love it how people here love to applaud Microsoft on their *spectacular* security record, and demonise all those who would dare to challenge that.

Please, Google already got bitten with Microsoft's shonky products and poor security in the past, my guess is that Google/Ormandy felt that they were already at risk from this exploit from malicious people in the wild, so they might as well get it out there, so that at least people could be aware of it. It's a public service, for crying out loud.

Remember, just because Ormandy was the first to publicise the exploit, certainly doesn't mean that he was the first to find it. In fact, statistically, the odds are stacked quite against that. Look, full-disclosure has already been proven to be the method that works. And shonky vendors, who are too lazy to look after their users will try and demonise full-disclosure all they like, but at the end of the day, it just looks like them covering their behinds.

You can come out and be a stupid little prat and insult Ormandy all you want, but at the end of the day, you've done...err...squat? I don't remember seeing any security disclosures published by "hairyfeet". Compare to him, and other security researches, I have a feeling both you and I know squat all. I certainly couldn't have found the exploit, even if I was looking.

At least this way, people *know* about the exploit, and it's visible. Better the devil you know, than the one you don't, and all that. Look, if your computer got hit with a drive-by-exploit, and you *didn't* know about about it, are you honestly telling me you'd be happier? You should be thanking security researchers like this, who shine a light on the swiss cheese that is Microsoft's security (yes, this is Windows XP, so perhaps things have improved. I'm not in a position to comment).

Cheers,
Victor

Re:Bullshit

[10101001+10101001]

... and he then went on to release a hotfix which didn't actually fix the bug.

Did you expect him to release a patch to uninstall Windows? It is, after all, pretty much a mindset flaw in design that allows for the exploit. In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE. Given that IE is very much an outward facing system, this means that vast parts of Windows which would otherwise be protected with simple security considerations now have to contend with otherwise irrelevant exploits. And because these extensions are grouped together, anyone who takes advantage of any one feature offered becomes vulnerable to any vulnerability in any extension (hence, Firefox and Opera are vulnerable because they apparently take advantage of Windows' protocol handling).

And what has Microsoft's response been to these problems? Whitelists. Zones. Javascript smudging to try to avoid XSS exploits. Some extra compilation options and stack protection. It's like trying to turn a strainer into a boat by patching all the holes.

Re:Bullshit

[Mr.+Freeman]

"And he expects them to drop everything just to deal with him?"

Of course not. He expects them to fix their software. There's a difference. It's not his fault there's a fucking bug. Microsoft doesn't have to deal with "him". They just have to deal with their software.

Re:Bullshit

And he expects them to drop everything just to deal with him?

No, he expected them to "make a commitment" to fix it within a reasonable time. But -- oh, no -- you don't treat the grandees at MS that way, even if it's a reasonable request. They'll address the problem in their own, royal, good time.

Well, fuck them -- he showed them what pressure can mean. Good for him.

Re:Bullshit

[rtfa-troll]

It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.

The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person. The only justification for delaying disclosure is if Microsoft is working maximally to fix the vulnerability. Once the information about the vulnerability was released you could disable your XP systems and wait for MS to react, or you could disable that function in your XP installation. If you have an important ("business critical") system then you of course have mitigation systems in place such as firewalls where you can change rules. This can only be done once you know about the flaw.

The fact that the vulnerability was know about for five days, but the vulnerable people were not told put them at risk, for example from inadvertent disclosure. It was Microsoft's job to convince Ormandy that they were doing enough work to justify his delay. I'm not sure about his judgement in this case; maybe there was some misunderstanding because MS security people were overloaded with other work. More likely they just aren't willing to put in enough effort to be convincing because they don't want to delay product schedules. A guarantee that "we will make every effort to resolve this within 60 days if it's as important as you say it is" would almost certainly have been enough and is certainly completely justified. In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.

Re:Bullshit

[Patch86]

Last I heard, XP still had about 60% market share to Win7's 10%. I'd say that should dictate where their priorities are, seeing as that is where all their customers are.

(Oblig.). If Ford had sold 1 million Focus's which are now being driven, but have now released a new version and sold only a few thousand, which one should be the safety priority? The new one (should have upgraded, you jerks!), or the one which is most used on the road?

Re:Bullshit

[drsmithy]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

How is using HTML for documentation "shoehorning" ? A help system is pretty much a textbook example of where hyperlinking is a good idea.

Re:Bullshit

[Kalriath]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

Wrong, wrong wrong. Trident is the component that renders HTML content (like HTML help) and that's as integrated into the system as KHTML is to KDE, and WebKit is to Mac OS X. I'm so sick of hearing bullshit like that spouted all over the place.

Re:Bullshit

[bloodhawk]

windows XP has already been discontinued, it is in support mode only. Extended support ends April 8 2014.

Re:Bullshit

[poetmatt]

so keeping it secret keeps it safer how exactly? when both the malware developers already know about it and are exploiting it?

Does it make you feel safer?

It sure doesn't give you any real safety.

Before this was disclosed, it may have been well known and exploited already. So how is this any different?

Re:This is classic Tavis.

[Sir_Lewk]

You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.

Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.

Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.

Re:The bad guys thank you Tavis.

[QuantGuy]

There are a lot of "go-to" commentators that the press goes to for supposed insights about security. Graham is one of them. He's a smart guy, but also one of the worst carnival-barkers in the industry; always chasing stories. Here are a few classics:

• On Bluetooth phone viruses, apparently the next big thing in malware (2004): "If you don't know about bluejacking these messages can be quite a shock" (2004)
• On the groundswell of Mac malware: "This means two real viruses have emerged for the Mac OS X platform in less than a week. The question on everyone's lips is - when will we see the next one, and will it have a more malicious payload?" (2006)
• On "naming and shaming" (his words) countries from whose IP address space spam appears to emanate: "A new dirty 'gang of four' - South Korea, Brazil, India and their ringleader USA - account for over 30% of all the spam relayed by hacked computers around the globe." (2010)

It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.

Re:The elephant in the room

[dangitman]

Begging the question: was it Slashdot?

No, it was a site dedicated to open source software, not poorly edited sensationalistic articles and tired jokes.

Re:The bad guys thank you Tavis.

[sohp]

It only seems contradictory for people who don't understand the meaning and implication of true full disclosure. Everyone else understands how security through obscurity rips of the consumers and transparency is the only thing that allows users to have the information they need to make optimal decisions about what software to buy.

Conspiracies? Let us have some

[symbolset]

Google could probably release an exploit like this every day if they wanted to - or ten of them. They index the Internet, and that includes the nasty corners where such things are as common as rude pictures on 4chan. Why should they care? They don't use Windows internally any more.

Re:The bad guys thank you Tavis.

I'm not sure the analogy is a good one.

This isn't cars (sorry), but this is how I see it: if your city tap water was discovered to have a high amount of lead in it in the latest round of tests, what would you do? Tell everyone "Hey, there's probably lead in your water, you should make sure you filter it or use bottled water for the next week until we get our filtration systems fixed." or do you wait a month and test the systems again and see if there is still lead before issuing a statement?

The only people that get hurt by the early information are ones that aren't paying attention to the big orange fliers left in the mailbox (or ones that simply don't care). But potentially lots of people can get hurt if you tell no one. I think I would opt for early information. Maybe people would have to scramble a bit at first, but they'll get over it, I'm tired of our society putting off problems until further down the road when it becomes the 800 lb gorilla, with bigger consequences and now impossible to ignore.

Since I've been modded down...

[ratboy666]

And I really don't understand why, I'll quote the article

"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."

So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?

Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).

Re:Since I've been modded down...

[drzhivago]

Of course it was fixed two months sooner. It was out in the wild, whereas beforehand it was not.

A security exploit that's readily known is going to be a much higher priority than one that isn't.

Re:Since I've been modded down...

[PsychoSlashDot]

This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?

Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

This gives users an guaranteed exploit that they otherwise only had a potential risk of having. Instead of maybe someone else finding this exploit that's been lurking in the code for nine years, we now have the glorious option of knowing about and implementing an out-of-schedule fix, or definitely being exposed.

That's right. The risk has gone from trivial (no known exploit) to significant (known exploit). Orders of magnitude? No. Effectively zero to arbitrarily non-zero is basically infinitely worse.

Users and admins both lose here.

Re:Since I've been modded down...

[Kijori]

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

That's only true if you think that the timing of the Google engineer's release of the hole and people beginning to exploit it is entirely coincidental. On the other hand if you think there might be a causal link to explain the exploit appearing shortly after he told everyone how to exploit it, admins are in fact more vulnerable now.

And comparing the "response times" is only possible if you think that the two responses - releasing a hotfix that removes functionality and releasing an update that fixes the problem - are identical. If the security update comes out in the near future then all the Google engineer has done is inconvenience users by forcing Microsoft to remove functionality that otherwise would not have been a risk in the window before a patch was released.

Dear Ford Owner

[Rogerborg]

I've just found a way of easily opening and starting your Ford using common household tools.

I'd love to tell you how it's done so that you can take measures to protect yourself, but you know, it would be irresponsible of me to give you that information.

No, the responsible thing to do is to let Ford know, secretly, and give them as much time as they need to investigate it and issue a recall to fix the problem. If they feel like admitting to it. And if they don't, I'll keep quiet indefinitely, just in case I'm the only person in the world who can figure it out, ever.

If your Ford gets being stolen in the meantime because someone else figured it out, or already knew, then that's just an acceptable consequence of my responsibility, which is apparently to Ford, the company that created the problem in the first place and profited by selling a defective product, not to you, Ford's customer, the victim.

Fair enough?