Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

Re:Dear Microsoft

[hedwards]

That's the thing MS cries and whines whenever they're outed for being insecure, but when they aren't it seems to take an interminable period of time for them to actually patch the bug. Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents. They still expect to be able to hold onto fixes until patch Tuesday and hope that nobody notices till then.

hcp protocol

[shird]

I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).

I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.

Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.

Re:5 days spent trying to get a fix within 60 days

[shird]

I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225

From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."

For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx

Re:Dear Microsoft

[guruevi]

Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.

Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.