Slashdot Mirror
Miscreants Exploit Google-Outed Windows XP Zero-Day
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
Not to mention Mr Google Douchebag told them on the weekend before patch Tuesday which is the absolute WORST time they could possibly be told, with everyone on crunch time trying to get the QA done before releasing the patches to the public. And he expects them to drop everything just to deal with him? What an asshole.
I don't care WHO the vendor is, there should be at least 30 days warning given before public disclosure of an exploit like this. Is Google gonna pay for all those infected PCs to get cleaned up? Considering their employee only gave FIVE days before releasing into the wild they should. I don't care which OS you use, Windows, OSX, Linux, this is bad for ALL of us, as these newly infected computers will slow down the Internet and clog servers with spam, and that affects everyone!
ACs don't waste your time replying, your posts are never seen by me.
No, damning of Microsoft.
All that was asked of the vendor was to come up with a firm time-line for a fix. If that was NOT forthcoming, the only responsible action is FULL IMMEDIATE DISCLOSURE.
The idea of allowing a vendor some time for a patch is to attempt to contain damage. And this assumes that the vulnerability is not already found by someone else. If the vendor refuses to commit, then that strategy is fatally flawed. The only recourse is to publish, and give an opportunity for the services, OSs, whatever, to be taken down by responsible administrators.
Without a time-line, the actual impact cannot be assessed. And, given that Google has been burned by a defect recently, they should be expected to be quite sensitive to the impact of these defects.
To rephrase -- Microsoft played chicken, and lost.
Just another "Cubible(sic) Joe" 2 17 3061
A bug for an OS which is two versions behind current and almost a decade old, should not be higher priority than fixing current versions of the software. 5 days is also far too short a time for a company the size of Microsoft to even get a team together to look at the problem, let alone come up with an adequate solution, properly test that solution, distribute that solution and get that solution tested and deployed by customers.
This guy was a dickhead and if he'd done it to anyone other than Microsoft he'd have been burned at the stake, ffs 5 days?
The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately.
Naa, those guys are just script kiddies. They are annoying, but anyone on their toes will not actually be bothered by them.
The REAL bad guys have been using holes such as this SINCE DAY ONE as one of many tools to gain access to any XP or newer system.
The real bad guys do not share such information with each other, let alone anyone else. There is little to no opportunity for any of us to defend against these people.
Today they have one less tool for unfettered access on the worlds systems, and you think this is a bad thing because some script kiddies will now be using an attack you can defend against?
To the rest of us, this means keeping everyone out. :(
If your biggest concern is the script kiddies however, then I fear for your networks security
There's a difference between finding an exploit and making exploit code public before any company with a widely distributed product could possibly react.
He's no better than a malware developer. At least they tend to keep their code secret. There will always be bugs and exploits in any code.
XP was released 10 years ago and people upgrade their computers much more frequently than they buy new cars.
If it was a model of car that was 30 years old and someone found a serious safety problem, the unanimous verdict would be to buy a new, modern car.
"This kind of behavior is childish at best, but in my opinion borders on criminal."
You think that exposing a problem with software is "borderline criminal"? When a vulnerability like this gets released it will generally result in the creation of some kind of malware. You seem to think that the solution is simply to make it illegal to know about it.
I realize that you probably don't understand what it's like to manage a network of computers that actually has to work reliably without relying on the vendor to do all your work for you, but it's your job to disable vulnerable services and properly secure your network. It's not the vendor's job to make sure that your machines work, and it sure as hell isn't the general public's job to remain silent about the security holes in your system.
It's almost as if you don't think that the vulnerability will be used if it's not disclosed. It's like you think that this is the only guy that could ever fucking find such a bug. Seriously, if it's not publicly disclosed then the only people with access to it are going to be the people that will use it to completely fuck you sideways. I'd prefer it gets released and a bunch of script kiddies try to make it into some easy to prevent malware so it gets patched rather than leave it only in the hands of those that know how to use it to its full potential.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
I just can't sit and read this entire discussion - time is short today.
I've read enough MS Fanboi whining to get their spin.
I've read enough MS haters to get their spin.
I've read several reasonable, middle of the road posts.
I've even read a couple of the off-topic racist bullshit posts.
Bottom line, to me, is that Microsoft brought this upon themselves when they enabled the browser to run the operating system. They created more vulnerabilities with that gimmick, than an army of security specialists have been able to close in a decade. A freaking ARMY of security people have been working with Windows XP for almost forever.
Come on, Microsoft. Just disable all the stupid bullshit. Issue a security update that disables IE from doing ANYTHING more than browsing the web. Let it have access to Java, Flash, and the other standard plugins - and nothing more. Anything facing the web should be as UN-privileged as possible, and still do it's job. You know it, we know it, everyone knows it - so MAKE IT HAPPEN!!
Meanwhile - people should really consider upgrading to Linux. Those who are stupider than me, should upgrade to Win7. (Hey, seriously folks, I'm not a physicist, a rocket scientist, a biologist, or even a meteorologist, and I figured Linux out!)
And, oh yeah. Fuck Microsoft, fuck Bill Gates, and fuck that chair throwing baboon who has replaced Gates. I never liked any of them. The next serious exploit to be discovered, I hope they give Microsoft only 48 hours. Bunch of douches.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br