Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

Re:Dear Microsoft

[hedwards]

That's the thing MS cries and whines whenever they're outed for being insecure, but when they aren't it seems to take an interminable period of time for them to actually patch the bug. Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents. They still expect to be able to hold onto fixes until patch Tuesday and hope that nobody notices till then.

hcp protocol

[shird]

I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).

I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.

Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.

Re:Microsoft: are you pleased with yourself?

[QuantumG]

It's not just Microsoft... the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff.. well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online. You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.

Re:5 days spent trying to get a fix within 60 days

[shird]

I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225

From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."

For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx

Re:Ormandy did excercise responsible disclosure

[MeNeXT]

you are assuming his system would be safer when in fact it is NOT.

Re:Dear Microsoft

[b4dc0d3r]

I can tell you've been in corp land.

1) You used "at the end of the day." People who say that should be shot, and you took the time to type it. I copy/pasted.
2) You want things that aren't predictable to be predictable. Just put whatever's new in the current testing cycle and go.
3) I'm pretty sure "insane amounts" is not a very good estimate, I'd be interested in some real numbers. Especially if you consider the "put whatever's new in the current testing cycle and go" part.
4) "Makes problems worse in the long run" is also most likely hyperbole. If your policy is to test what you can, when you can, then I don't see how Microsoft's schedule impacts you at all. You're already backlogged. Does it matter whether you're testing 3 patches or 20? I mean, you're not going to fall behind Microsoft's release schedule, so you're not going to be falling behind, so what does it matter whether the patch is released on Thursday or Tuesday - you can sit on the Thursday patches until next Tuesday if you want, only now the delay is on your side instead of Microsoft.

So overall, you would rather Microsoft to hold things up on their end. When a virus outbreak happens you can say "the vendor hasn't released the patch" or "we didn't complete testing of the patch". That absolves you of responsibility. If Microsoft releases as fixes are finished, you have to fit an unscheduled release pattern into a rigidly defined cycle, and are at risk. Instead of worrying about your clients and users, you are worried about liability.

I say give me the patches as soon as you have them, I'll test and release them internally when I can. Most of the time that's going to be faster, occasionally something might be delayed for whatever reason.

And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?

Re:Dear Microsoft

[guruevi]

Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.

Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.