Slashdot Mirror
Miscreants Exploit Google-Outed Windows XP Zero-Day
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
That's the thing MS cries and whines whenever they're outed for being insecure, but when they aren't it seems to take an interminable period of time for them to actually patch the bug. Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents. They still expect to be able to hold onto fixes until patch Tuesday and hope that nobody notices till then.
The bad guys have been using the flaw for years.. it's just the bottom feeders who are allowed by the cartel to have a go now.
5 days is more than enough time for Microsoft to release a hotfix and disable the vulnerable code.
How we know is more important than what we know.
Yeah, he's not nearly as mean as I would be. I would demand actual action within that 5 days.. including pushing out a patch to disable the vulnerable code.
How we know is more important than what we know.
I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).
I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.
Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.
I.O.U One Sig.
It's not just Microsoft... the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff.. well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online. You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.
How we know is more important than what we know.
I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225
From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."
For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx
I.O.U One Sig.
So why didn't Microsoft push out that command via Windows Update as soon as the bug was reported? They have the power to prevent a single user from being attacked by this vector, why didn't they? They could even make the message more informative.
How we know is more important than what we know.
Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.
Yes, it's the customers' fault that even the MS patches can be buggy, isn't it? Also, customers are also to blame because applying a security patch requires a reboot.
Questions raise, answers kill. Raise questions to stay alive.
you are assuming his system would be safer when in fact it is NOT.
DRM? No thanks, I'll just get it somewhere else...
I do believe this proves otherwise. What was a previously unknown bug, not being exploited has now turned into machines getting exploited, and it took what? Less than a day? Full disclosure is irresponsible.
I can tell you've been in corp land.
1) You used "at the end of the day." People who say that should be shot, and you took the time to type it. I copy/pasted.
2) You want things that aren't predictable to be predictable. Just put whatever's new in the current testing cycle and go.
3) I'm pretty sure "insane amounts" is not a very good estimate, I'd be interested in some real numbers. Especially if you consider the "put whatever's new in the current testing cycle and go" part.
4) "Makes problems worse in the long run" is also most likely hyperbole. If your policy is to test what you can, when you can, then I don't see how Microsoft's schedule impacts you at all. You're already backlogged. Does it matter whether you're testing 3 patches or 20? I mean, you're not going to fall behind Microsoft's release schedule, so you're not going to be falling behind, so what does it matter whether the patch is released on Thursday or Tuesday - you can sit on the Thursday patches until next Tuesday if you want, only now the delay is on your side instead of Microsoft.
So overall, you would rather Microsoft to hold things up on their end. When a virus outbreak happens you can say "the vendor hasn't released the patch" or "we didn't complete testing of the patch". That absolves you of responsibility. If Microsoft releases as fixes are finished, you have to fit an unscheduled release pattern into a rigidly defined cycle, and are at risk. Instead of worrying about your clients and users, you are worried about liability.
I say give me the patches as soon as you have them, I'll test and release them internally when I can. Most of the time that's going to be faster, occasionally something might be delayed for whatever reason.
And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?
I wouldn't have been surprised if it was actually one of the ad servers the site uses.
Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.
Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.
Custom electronics and digital signage for your business: www.evcircuits.com
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant statements I've ever seen.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them. First rule of tactics: never ever tell your enemy what you plan to do and then turn around and give him time to organize a reaction to your plans. The only thing that gets you is jumped from behind by the ambushes your enemy's set up along the route you told him you'd be following. If your enemy won't negotiate, forgo the threats and simply proceed with the plans you made for that contingency.
At least You and Ormandy got a response. My group found a security hole in the OSPF router in Windows 2000 Server around 2003. We sent the details into Microsoft and we never got a response. You would think a security report from the Canadian military would at least rate a "we have received your report and are investigating"
Atlas stands on the earth and carries the celestial sphere on his shoulders.
As I said in last week's Googe/XP story (which slashdot's search engine can't find for some reason), I have no tears for Microsoft. I've hated them since the 1980s. And not just because I go-round hating inanimate objects but because they have produced inferior products that were 5-10 years behind superior products from Atari, Commodore, and Apple. They've also done everything short of murder to eliminate competition (block them from running in Windows 3/4)(or sue them in court until they were bnakrupted). "Embrace a standard, Extend the standard with MS proprietary features, and then Extinguish our partners" has been their motto since 1990.
In recent years Microsoft has produced some quality products..... XP (NT 5.x) and Seven (NT 6.1)..... so I'll give them credit for improving but they still have a long way to go. Anything that hurts Microsoft and helps restore competition to the computer marketplace is a positive in my book.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
The right thing to do would have been:
1. Try to negotiate a timeline. When that fails (say in 3-4 days):
2. Suggest MS to disable the hlp resource locator immediately. When that advice is ignored:
3. Ultimatum to MS: existence of flaw will be disclosed. Give MS opportunity (2 days) to issue the press release. When that fails to happen:
4. Warn public of the flaw (no exploit). This will put pressure on MS. (From others too.)
Give last warning to MS regarding timeline negotiations. If this still not forces MS to cooperate:
5. Disclose exploit 3 days later.
Companies like Microsoft don't allow outside hackers/security experts to set expectations and timelines for them. Any patch has to go through a lot of project management and release delivery coordination, testing etc. Why would the hacker demand satisfaction except for his own publicity and credit? Why would Microsoft oblige him? I certainly wouldn't.