Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

Dear Microsoft

[QuantumG]

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

Re:Dear Microsoft

[Entrope]

Microsoft's negligent, lazy approach to closing security holes bit Google hard. Google is now letting Microsoft feel some of the pain. I hope that responsible journalists won't judge full disclosure solely by vendor-dictated rules -- when a software vendor has a history of problems, the spotlight should be on them, not on the people who report them.

Re:Dear Microsoft

[hedwards]

Whether it's their idea or not, it's a horrible idea. Patches should be released as soon as they're finish, as in finished and received reasonable review. Holding back patches for known flaws is ultimately irresponsible behavior. If a corporation doesn't want to do so constantly, then so be it, give them a tool to do it in that fashion. But as is it's terribly irresponsible.

Given the prevalence of bots in corporate networks, perhaps they shouldn't be given that kind of pull over the security of everybody else.

Re:Dear Microsoft

[ArbitraryDescriptor]

Whether it's their idea or not, it's a horrible idea

But at the end of the day, if the customers ask for it, you give it to them.

But like he said, just give them a tool that ques up the patches. Allow them to set an update policy that holds off until X day, or bi-weekly, etc. Meanwhile, push patches to the home users as they come. They don't have an IT department to inform and protect them, holding back grandma's critical updates likely does more harm than good.

Re:Dear Microsoft

[cbiltcliffe]

But that's their choice.
If everybody else wants to be secure, they can be, and to hell with the whiney "we can't do this more than once a month, because we're incompetent" corporations. Those corporations can queue updates themselves, if they want. Everything released in the last month gets tested.

Everybody else should have the option of installing the updates as soon as they're finished.

But, as usual, the security-idiot blowhards get to dictate policy for the rest of the world.

Re:Dear Microsoft

[williamhb]

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

If so, that is pretty damning of Ormandy -- that he thought 60 days was an appropriate timeframe for a fix, and even thinking it was reasonable for a fix to take that long decided to publicise it after only 5 days. Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.

Re:Dear Microsoft

[recoiledsnake]

The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately. Hence it's better to release the patch es as a bundle on a single day.

Re:Dear Microsoft

[PsychoSlashDot]

Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"

Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.

So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.

That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready. That's blackmail. Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.

"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."

If he had done that, there'd be no complaint.

Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?

When and if my customers' PCs get owned by this, I will blame the exploit discoverer. The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days. Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.

Microsoft: are you pleased with yourself?

[mrsam]

This is a question that should really be asked of Microsoft

Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.

He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?

If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?

Re:This is classic Tavis.

[Sir_Lewk]

The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.

Yeah...

[Greyfox]

Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.

NOT zero day attack.

[slashkitty]

This is a 5 day attack. MS had 5 days warning... and maybe a few more before others were exploiting it.

Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.

Ormandy did excercise responsible disclosure

[Todd+Knarr]

Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

Re:Ormandy did excercise responsible disclosure

[Todd+Knarr]

Yes, Microsoft's rules for "responsible disclosure" are undoubtably "Don't mention this to anybody. Ideally including us. Just shut up and ignore the problem.". But that's not the definition of responsible disclosure the rest of us use, and Microsoft isn't the one who sets the rules for the rest of us. Unless Microsoft can pull out a signed contract where Ormandy agreed to abide by their rules, and I doubt they can.

Re:The bad guys thank you Tavis.

[sohp]

Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.

Bullshit

Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.

Re:Bullshit

[poetmatt]

its still not a zero day exploit, and if MS felt it was critical they could have devoted teams to take care of it. MS of all companies certainly doesn't have an absence of programming talent.

So far, they sure are silent, aren't they.

Re:Bullshit

[Anpheus]

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

Even Red Hat won't release a patch in 5 days without regression testing all the affected builds. Not only that, but he decided that during the weekend before patch Tuesday.

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Re:Bullshit

[logjon]

It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.

Re:Bullshit

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Yes. Yes there is. Remember, this is Microsoft. If they actually cared, they could release a patch in hours, not days. But it isn't that high of a priority. With FOSS Software, it is often a part time project. But time is still made to fix bugs. On the other hand, Microsoft has definitely has the resources to deal with this. Normally however, they don't need to. Microsoft will just sit on bugs because it doesn't become their top priority as soon as it is verified, like such a bug should. Once on the general Web though, it does. I, for one, support full and immediate disclosure for this reason. Remember, just because Ormandy was the first to publish the vulnerability, doesn't mean he was the first to discover it, TYVM.

One other reminder from a helpful coward; Security through Obscurity, is no security at all.

A.C.

Re:Bullshit

[victorhooi]

heya,

Gosh, I love it how people here love to applaud Microsoft on their *spectacular* security record, and demonise all those who would dare to challenge that.

Please, Google already got bitten with Microsoft's shonky products and poor security in the past, my guess is that Google/Ormandy felt that they were already at risk from this exploit from malicious people in the wild, so they might as well get it out there, so that at least people could be aware of it. It's a public service, for crying out loud.

Remember, just because Ormandy was the first to publicise the exploit, certainly doesn't mean that he was the first to find it. In fact, statistically, the odds are stacked quite against that. Look, full-disclosure has already been proven to be the method that works. And shonky vendors, who are too lazy to look after their users will try and demonise full-disclosure all they like, but at the end of the day, it just looks like them covering their behinds.

You can come out and be a stupid little prat and insult Ormandy all you want, but at the end of the day, you've done...err...squat? I don't remember seeing any security disclosures published by "hairyfeet". Compare to him, and other security researches, I have a feeling both you and I know squat all. I certainly couldn't have found the exploit, even if I was looking.

At least this way, people *know* about the exploit, and it's visible. Better the devil you know, than the one you don't, and all that. Look, if your computer got hit with a drive-by-exploit, and you *didn't* know about about it, are you honestly telling me you'd be happier? You should be thanking security researchers like this, who shine a light on the swiss cheese that is Microsoft's security (yes, this is Windows XP, so perhaps things have improved. I'm not in a position to comment).

Cheers,
Victor

Re:Bullshit

[10101001+10101001]

... and he then went on to release a hotfix which didn't actually fix the bug.

Did you expect him to release a patch to uninstall Windows? It is, after all, pretty much a mindset flaw in design that allows for the exploit. In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE. Given that IE is very much an outward facing system, this means that vast parts of Windows which would otherwise be protected with simple security considerations now have to contend with otherwise irrelevant exploits. And because these extensions are grouped together, anyone who takes advantage of any one feature offered becomes vulnerable to any vulnerability in any extension (hence, Firefox and Opera are vulnerable because they apparently take advantage of Windows' protocol handling).

And what has Microsoft's response been to these problems? Whitelists. Zones. Javascript smudging to try to avoid XSS exploits. Some extra compilation options and stack protection. It's like trying to turn a strainer into a boat by patching all the holes.

Re:Bullshit

[Mr.+Freeman]

"And he expects them to drop everything just to deal with him?"

Of course not. He expects them to fix their software. There's a difference. It's not his fault there's a fucking bug. Microsoft doesn't have to deal with "him". They just have to deal with their software.

Re:Bullshit

[rtfa-troll]

It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.

The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person. The only justification for delaying disclosure is if Microsoft is working maximally to fix the vulnerability. Once the information about the vulnerability was released you could disable your XP systems and wait for MS to react, or you could disable that function in your XP installation. If you have an important ("business critical") system then you of course have mitigation systems in place such as firewalls where you can change rules. This can only be done once you know about the flaw.

The fact that the vulnerability was know about for five days, but the vulnerable people were not told put them at risk, for example from inadvertent disclosure. It was Microsoft's job to convince Ormandy that they were doing enough work to justify his delay. I'm not sure about his judgement in this case; maybe there was some misunderstanding because MS security people were overloaded with other work. More likely they just aren't willing to put in enough effort to be convincing because they don't want to delay product schedules. A guarantee that "we will make every effort to resolve this within 60 days if it's as important as you say it is" would almost certainly have been enough and is certainly completely justified. In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.

Re:Bullshit

[Patch86]

Last I heard, XP still had about 60% market share to Win7's 10%. I'd say that should dictate where their priorities are, seeing as that is where all their customers are.

(Oblig.). If Ford had sold 1 million Focus's which are now being driven, but have now released a new version and sold only a few thousand, which one should be the safety priority? The new one (should have upgraded, you jerks!), or the one which is most used on the road?

Re:Bullshit

[drsmithy]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

How is using HTML for documentation "shoehorning" ? A help system is pretty much a textbook example of where hyperlinking is a good idea.

Re:This is classic Tavis.

[Sir_Lewk]

You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.

Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.

Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.

Re:The bad guys thank you Tavis.

[QuantGuy]

There are a lot of "go-to" commentators that the press goes to for supposed insights about security. Graham is one of them. He's a smart guy, but also one of the worst carnival-barkers in the industry; always chasing stories. Here are a few classics:

• On Bluetooth phone viruses, apparently the next big thing in malware (2004): "If you don't know about bluejacking these messages can be quite a shock" (2004)
• On the groundswell of Mac malware: "This means two real viruses have emerged for the Mac OS X platform in less than a week. The question on everyone's lips is - when will we see the next one, and will it have a more malicious payload?" (2006)
• On "naming and shaming" (his words) countries from whose IP address space spam appears to emanate: "A new dirty 'gang of four' - South Korea, Brazil, India and their ringleader USA - account for over 30% of all the spam relayed by hacked computers around the globe." (2010)

It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.

Re:The elephant in the room

[dangitman]

Begging the question: was it Slashdot?

No, it was a site dedicated to open source software, not poorly edited sensationalistic articles and tired jokes.

Re:The bad guys thank you Tavis.

I'm not sure the analogy is a good one.

This isn't cars (sorry), but this is how I see it: if your city tap water was discovered to have a high amount of lead in it in the latest round of tests, what would you do? Tell everyone "Hey, there's probably lead in your water, you should make sure you filter it or use bottled water for the next week until we get our filtration systems fixed." or do you wait a month and test the systems again and see if there is still lead before issuing a statement?

The only people that get hurt by the early information are ones that aren't paying attention to the big orange fliers left in the mailbox (or ones that simply don't care). But potentially lots of people can get hurt if you tell no one. I think I would opt for early information. Maybe people would have to scramble a bit at first, but they'll get over it, I'm tired of our society putting off problems until further down the road when it becomes the 800 lb gorilla, with bigger consequences and now impossible to ignore.

Since I've been modded down...

[ratboy666]

And I really don't understand why, I'll quote the article

"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."

So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?

Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).

Re:Since I've been modded down...

[PsychoSlashDot]

This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?

Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

This gives users an guaranteed exploit that they otherwise only had a potential risk of having. Instead of maybe someone else finding this exploit that's been lurking in the code for nine years, we now have the glorious option of knowing about and implementing an out-of-schedule fix, or definitely being exposed.

That's right. The risk has gone from trivial (no known exploit) to significant (known exploit). Orders of magnitude? No. Effectively zero to arbitrarily non-zero is basically infinitely worse.

Users and admins both lose here.