Slashdot Mirror


Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

15 of 497 comments (clear)

  1. The bad guys thank you Tavis. by Anonymous Coward · · Score: -1, Troll

    Tavis Ormandy is an ass. 5 days isn't a much time to wait before releasing this crap on the rest of us.

  2. This is classic Tavis. by Anonymous Coward · · Score: -1, Troll

    He's the poster child for irresponsible disclosure. For Open Source bugs, he likes to hand them to Brad Spengler and blame vendor-sec for the leaks.

  3. bring it by Anonymous Coward · · Score: -1, Troll

    Well.. to the m$oft fan boys- suck me- Let me tell you, No other company but Msoft can release a pile of shit like this one. Just today I boot to play EQ2- The only time Im on this turd of an os and hey! No sound! wow- reboot and guess what- sound! ohh but the networks down-- reboot and everythings up and fine-- then 10 minutes into it- sound goes out again. just to be sure- reboot into Ubuntu- no issue at all- reboot again into SuSE and wow, no problems. reboot into fucking windows and -haha-- no network... FUCK this thieving shit selling company! Why can't the fucking world see this shit for what it is? SHIT, nothing more.

  4. Re:Dear Microsoft by wangbangersanonymous · · Score: -1, Troll

    basically, what you wanted to say is, "I'm a fat whiny bitch." Correct?

  5. Re:Ormandy did excercise responsible disclosure by Daltorak · · Score: -1, Troll

    I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk

    So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS and presumably was never exploited in all that time, but now, all of a sudden some guy decides that it's vitally important to announce to the world, just a few days after submitting the bug report, that HEY EVERYONE, THERE IS AN EXPLOIT, AND HERE IS HOW YOU USE IT.

    Had he kept his mouth shut, your systems would be safer.

  6. Re:Bullshit by hairyfeet · · Score: 0, Troll

    Not to mention Mr Google Douchebag told them on the weekend before patch Tuesday which is the absolute WORST time they could possibly be told, with everyone on crunch time trying to get the QA done before releasing the patches to the public. And he expects them to drop everything just to deal with him? What an asshole.

    I don't care WHO the vendor is, there should be at least 30 days warning given before public disclosure of an exploit like this. Is Google gonna pay for all those infected PCs to get cleaned up? Considering their employee only gave FIVE days before releasing into the wild they should. I don't care which OS you use, Windows, OSX, Linux, this is bad for ALL of us, as these newly infected computers will slow down the Internet and clog servers with spam, and that affects everyone!

    --
    ACs don't waste your time replying, your posts are never seen by me.
  7. Damning of Ormandy? by ratboy666 · · Score: 0, Troll

    No, damning of Microsoft.

    All that was asked of the vendor was to come up with a firm time-line for a fix. If that was NOT forthcoming, the only responsible action is FULL IMMEDIATE DISCLOSURE.

    The idea of allowing a vendor some time for a patch is to attempt to contain damage. And this assumes that the vulnerability is not already found by someone else. If the vendor refuses to commit, then that strategy is fatally flawed. The only recourse is to publish, and give an opportunity for the services, OSs, whatever, to be taken down by responsible administrators.

    Without a time-line, the actual impact cannot be assessed. And, given that Google has been burned by a defect recently, they should be expected to be quite sensitive to the impact of these defects.

    To rephrase -- Microsoft played chicken, and lost.

    --
    Just another "Cubible(sic) Joe" 2 17 3061
  8. Re:Bullshit by Eskarel · · Score: 0, Troll

    A bug for an OS which is two versions behind current and almost a decade old, should not be higher priority than fixing current versions of the software. 5 days is also far too short a time for a company the size of Microsoft to even get a team together to look at the problem, let alone come up with an adequate solution, properly test that solution, distribute that solution and get that solution tested and deployed by customers.

    This guy was a dickhead and if he'd done it to anyone other than Microsoft he'd have been burned at the stake, ffs 5 days?

  9. Re:Dear Microsoft by dissy · · Score: 0, Troll

    The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately.

    Naa, those guys are just script kiddies. They are annoying, but anyone on their toes will not actually be bothered by them.

    The REAL bad guys have been using holes such as this SINCE DAY ONE as one of many tools to gain access to any XP or newer system.
    The real bad guys do not share such information with each other, let alone anyone else. There is little to no opportunity for any of us to defend against these people.

    Today they have one less tool for unfettered access on the worlds systems, and you think this is a bad thing because some script kiddies will now be using an attack you can defend against?

    To the rest of us, this means keeping everyone out.
    If your biggest concern is the script kiddies however, then I fear for your networks security :(

  10. Re:Bullshit by abigsmurf · · Score: 0, Troll

    There's a difference between finding an exploit and making exploit code public before any company with a widely distributed product could possibly react.

    He's no better than a malware developer. At least they tend to keep their code secret. There will always be bugs and exploits in any code.

  11. Re:Bullshit by naff89 · · Score: 0, Troll

    XP was released 10 years ago and people upgrade their computers much more frequently than they buy new cars.

    If it was a model of car that was 30 years old and someone found a serious safety problem, the unanimous verdict would be to buy a new, modern car.

  12. Re:Dear Microsoft by Mr.+Freeman · · Score: 1, Troll

    "This kind of behavior is childish at best, but in my opinion borders on criminal."

    You think that exposing a problem with software is "borderline criminal"? When a vulnerability like this gets released it will generally result in the creation of some kind of malware. You seem to think that the solution is simply to make it illegal to know about it.

    I realize that you probably don't understand what it's like to manage a network of computers that actually has to work reliably without relying on the vendor to do all your work for you, but it's your job to disable vulnerable services and properly secure your network. It's not the vendor's job to make sure that your machines work, and it sure as hell isn't the general public's job to remain silent about the security holes in your system.

    It's almost as if you don't think that the vulnerability will be used if it's not disclosed. It's like you think that this is the only guy that could ever fucking find such a bug. Seriously, if it's not publicly disclosed then the only people with access to it are going to be the people that will use it to completely fuck you sideways. I'd prefer it gets released and a bunch of script kiddies try to make it into some easy to prevent malware so it gets patched rather than leave it only in the hands of those that know how to use it to its full potential.

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  13. Re:Bullshit by hairyfeet · · Score: -1, Troll

    Hey dumbass, enjoy spam? Enjoy having the net slowed down by zombies? Hope so, because Mr Douchebag who you are rooting for just gave you tons of slowdown, enjoy moron! As for a time table? Did you miss the Patch Tuesday weekend part? It really would have fucking killed him to wait until Thursday to get a fucking answer? It isn't like Mr. Dipshit hadn't heard of Patch Tuesday, sine they have only been doing it for years.

    That is like going to EA a week before Madden release date and expecting the head programmers to drop everything to talk to you. What an elitist asshole. And of course I shouldn't be surprised Anon cowards at /. are cheering, since they spend more time trying to get their fucking bleeding so far fucking edge that the CDs have stigmata Linux distros stable enough they can actually get some work done.

    Yeah, why care about 400 million possible zombies, or the myriad of headaches those of us who actually have to admin and fix them will have to deal with? After all, we could all just drop the millions we have invested in software, most of which have NO equivalent in Linux, spend God knows how much on retraining for an OS that won't do half of what we need, all so we can...what? Whack off to a Bash prompt while dreaming of RMS? Sure its more secure, so is throwing all the PCs in the garbage and going back to pen and paper, which is what it would be like for most of us that depend on REAL software like Photoshop and Quickbooks to get REAL work done!

    This immature "they wouldn't jump through my hoops fast enough!" bullshit is costing REAL people REAL money, and I personally would be happy if a law was passed that anybody who dropped a bomb like this with less than 60 days warning got stuck with the bill for the ENTIRE cost of cleanup!

    --
    ACs don't waste your time replying, your posts are never seen by me.
  14. Not enough time! by Runaway1956 · · Score: 0, Troll

    I just can't sit and read this entire discussion - time is short today.

    I've read enough MS Fanboi whining to get their spin.

    I've read enough MS haters to get their spin.

    I've read several reasonable, middle of the road posts.

    I've even read a couple of the off-topic racist bullshit posts.

    Bottom line, to me, is that Microsoft brought this upon themselves when they enabled the browser to run the operating system. They created more vulnerabilities with that gimmick, than an army of security specialists have been able to close in a decade. A freaking ARMY of security people have been working with Windows XP for almost forever.

    Come on, Microsoft. Just disable all the stupid bullshit. Issue a security update that disables IE from doing ANYTHING more than browsing the web. Let it have access to Java, Flash, and the other standard plugins - and nothing more. Anything facing the web should be as UN-privileged as possible, and still do it's job. You know it, we know it, everyone knows it - so MAKE IT HAPPEN!!

    Meanwhile - people should really consider upgrading to Linux. Those who are stupider than me, should upgrade to Win7. (Hey, seriously folks, I'm not a physicist, a rocket scientist, a biologist, or even a meteorologist, and I figured Linux out!)

    And, oh yeah. Fuck Microsoft, fuck Bill Gates, and fuck that chair throwing baboon who has replaced Gates. I never liked any of them. The next serious exploit to be discovered, I hope they give Microsoft only 48 hours. Bunch of douches.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    1. Re:Not enough time! by cdrguru · · Score: 0, Troll

      Too bad Microsoft sold the idea of ActiveX to corporate America. There are millions of internal corporate applications that rely on ActiveX in the browser, running "privileged" code and writing stuff on the user's disk.

      Microsoft and plenty of other companies use this as well. Yes, ActiveX was a silly idea from a security point of view, but it was "the" killer application that got things moving on the Web for Microsoft.

      ActiveX as a technology allows for virtual unlimited extensability of the browser. ActiveX enables SaaS through a web page such that the application is downloaded, executed and removed from the computer all in a single step. Obviously it could be misused - and Microsoft seems to have thought that code signing would eliminate that as a problem. Except nobody, not even Microsoft, signs their executables.

      So we have ActiveX: too unsafe for the Internet but just fine for the corporate intranet. Because of this annoying fact it isn't going anywhere anytime soon.