Slashdot Mirror
Miscreants Exploit Google-Outed Windows XP Zero-Day
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.
Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.
All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.
How we know is more important than what we know.
Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software.
Ballmer should be able to spin that into a win: "To be safe, all XP users are advised to avoid open source software stuff. It has viruses."
A security flaw being exploited, via the Internet no less ! I am shocked and outraged ! /s
The bad guys have been using the flaw for years.. it's just the bottom feeders who are allowed by the cartel to have a go now.
5 days is more than enough time for Microsoft to release a hotfix and disable the vulnerable code.
How we know is more important than what we know.
Google is supposed to learn morals from Microsoft and its toadies?
According to this tweet: http://twitter.com/taviso/status/16005411316 Those 5 days were spent trying to negotiate a fix within 60 days. So much for the 'he only gave them 5 days!' arguments.
A day that will live in Ormandy.
This is a question that should really be asked of Microsoft
Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.
He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?
If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?
Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.
Begging the question: was it Slashdot?
[/humor]
I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).
I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.
Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.
I.O.U One Sig.
The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit. I don't think anybody really believes that he'd report it then release it in that kind of a time span if there wasn't more going on than just that. 60 days is more than enough time for MS to release a proper fix, but the reality is that MS does sit on bug fixes because they can't or won't spend the time to take it seriously.
Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.
-- these are only opinions and they might not be mine.
Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.
Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.
Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.
So you can disable that service and be at east that nothing is going to happen to you or your users.
BUYER be Aware. Is that enough said? Oh well it will make some more time for the MS admins out there. I wonder if they don't just leave this crap out there to continue to support their partners? I have over ten years on Linux as mostly a home user. I guess it is a case of "Stupid is as Stupid does". Peace Yall.
Just a heads up! Your post is self contradictory.
"Full disclosure is the only truly ethical approach to take to protect the consumer," I hear you say. It would seem that full disclosure, in this case, did *not* protect the consumer.
Microsoft may deserve whatever you think it does. The ones most affected are the users, however. And despite how much I hate the average person, they *don't* deserve whatever you think Microsoft does.
There are positives and negatives for full disclosure and non-disclosure. As with anything in life, I like to think that extremes of anything are a bad way to go about things.
Of course, I might also be "pleased with myself" if my employer had a policy of huge bonuses for published zero day exploits. I dunno whether this happens or not, just sayin' I'd be very pleased to get such a bonus, and would work quite hard to try to get another one.
Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.
I don't remember exactly which site but while looking up some coding related issues for vs2010 port all of a sudden norton antivirus starts freaking out about malicious programs, then the UAC kicked in constantlhy asking to run cmd.exe prompting me to reboot. MSHTA.exe was hit with some trojan that tries to root the system. I got lucky with win7 64 and norton av, but yea it's weird a source code site would launch this nonsense.
did you forget to take your meds?
The damn thing will be 9 years old this august. It has more holes in it than swiss cheese. It came with IE6 which most would agree is the most compromised browser of all time. Why are people still using this thing? I work in a call center and about 85-90% of people I deal with are still using windows XP. Fortunately there seem to be far fewer people using IE6. Considering the amount of trouble they get themselves into (drive by attacks "it said click here so I did. why doesn't my computer work?)it doesn't really matter what browser they use anyway. The problem here is a lack of basic computer literacy. In my experience the general public has this plug and play attitude to computing because they are not forced to learn anything. It makes everything support has to do for a customer that much harder. I don't care if you were stupid enough to click on this popup because it said you have 800 viruses on your computer. Best buy must be making a killing off these people.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
I do believe this proves otherwise. What was a previously unknown bug, not being exploited has now turned into machines getting exploited, and it took what? Less than a day? Full disclosure is irresponsible.
It's not like there aren't thousands of security flaws being exploited in the wild. What's one more, against the convenience of orderly patching?
Help stamp out iliturcy.
My understanding is that Firefox disables hcp:// by default:
network.protocol-handler.external.hcp = false
And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.
Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.
Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant statements I've ever seen.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Notice something?
If you want to make it a little more accessible, why not something like ``Google-discovered HCP vulnerability exploited?'' Maybe ``Google-found flaw seen in the wild?''
What you have for the headline now sounds about as intelligible as the mock-Slashdot headline that Penny Arcade came up with, ``Linux crypto hackers open-sourced the BSD Microsoft monopoly''
The question is not whether the exploit had been used prior to disclosure. The question is, on what scale has it been used before it, and how wider is that scale now due to disclosure?
Or, simply put, how did the chance of being affected by this increase or decrease for an average user? If it increased significantly, then clearly this "hurts the consumers".
Ok so I can see why someone would inform MSFT and for that matter the world that there is a serious problem with some component in an OS. However, what I don't understand is why he would find it necessary to disclose code to exploit the bug? At that point it becomes a race condition between sysadmins checking/protecting and black hat hackers building malware to take advantage of it.
It only seems contradictory for people who don't understand the meaning and implication of true full disclosure. Everyone else understands how security through obscurity rips of the consumers and transparency is the only thing that allows users to have the information they need to make optimal decisions about what software to buy.
Google could probably release an exploit like this every day if they wanted to - or ten of them. They index the Internet, and that includes the nasty corners where such things are as common as rude pictures on 4chan. Why should they care? They don't use Windows internally any more.
Help stamp out iliturcy.
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant statements I've ever seen.
I reckon that, to some extent, the percentage of "murder by shooting" in the cause-of-death statistics will go very low indeed... while the "manslaughter by shooting" will... so to say... shoot to the sky.
Questions raise, answers kill. Raise questions to stay alive.
Your five megabytes of HOSTS file is probably irrelevant compared to real performance problems. That's not what a HOSTS file is meant for, and you should generally not optimize for the abusive case. Ideally you'd just use your application's native method for dealing with address-blocking, and if you need a blanket block such a huge number of addresses then a local proxy is the way to go, eg. Privoxy.
Micro-optimization is the root of all evil. The way to tune performance is to measure where the biggest problem is, and then reduce that. You do not hone in on a few bytes from a file format. For instance, look at http://en.wikipedia.org/wiki/Amdahl's_law. It's not worth putting even ten minutes of time into something that makes no noticeable difference to just about anybody, when you could spend that time working on a problem that will make a noticeable difference to some people. Therefore, the "math" does not yet support you; at least not given the evidence provided. You have to show that a reasonable HOSTS file used as recommended (or as there is no more reasonable alternative) makes a more significant difference to some important aspect of performance than any other change that could be made as easily.
Now, if you look at the Standard for IPv4 addressing, http://www.ietf.org/rfc/rfc1123.txt, you will see that dotted-decimal notation is required for Standards-compliant IPv4 applications (you can add further restrictions but not relieve restrictions), and if you look at http://tools.ietf.org/html/rfc952, the HOSTS file is required to have all four components. IPv6 does have a summary version in the standard, but I'm sure you won't like what IPv6 does to the size of the average HOSTS file (that is to say, marginally increase it). It's bad to break Web Standards without a really excellent reason. It had better be security, or a performance gain so bountiful and universal that none could fault it, such as when browsers started going to 6 connections per web server rather than 2.
Remove all warning labels and let the problem fix itself
I wouldn't call this approach 'ethical'.
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant statements I've ever seen.
I've found that if I report somebody with an illegal weapon it's generally taken care of very quickly, so maybe not the best analogy...
Even on Slashdot, that's the worst analogy I've seen. You're not encouraging people to commit crimes themselves; you're not providing them with equipment needed to do so.
It would be more analagous to letting people know there's a murderer on the loose, and they should be on their guard before you've caught him, instead of holding off on the notification so that you don't look so bad.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
At least now people who would not have known about a potential attack vector can take precautions and be safer without having to wait for Microsoft to introduce more vulnerabilities when they come up with a "fix" for this one.
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant analogies I've ever seen.
It's more like putting up a billboard that says "The most widely used door lock on the market can be easily punched out with a captive bolt pistol"
Knowledge Brings Fear
I'm not sure the analogy is a good one.
This isn't cars (sorry), but this is how I see it: if your city tap water was discovered to have a high amount of lead in it in the latest round of tests, what would you do? Tell everyone "Hey, there's probably lead in your water, you should make sure you filter it or use bottled water for the next week until we get our filtration systems fixed." or do you wait a month and test the systems again and see if there is still lead before issuing a statement?
The only people that get hurt by the early information are ones that aren't paying attention to the big orange fliers left in the mailbox (or ones that simply don't care). But potentially lots of people can get hurt if you tell no one. I think I would opt for early information. Maybe people would have to scramble a bit at first, but they'll get over it, I'm tired of our society putting off problems until further down the road when it becomes the 800 lb gorilla, with bigger consequences and now impossible to ignore.
And I really don't understand why, I'll quote the article
"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."
So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?
Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).
Just another "Cubible(sic) Joe" 2 17 3061
Whether or not it was used or not doesn't matter. The point is, it wasn't WIDELY used.
Lots of people know how to make incredibly toxic gases with household ingredients. Would you then say it's perfectly fine to show a step by step guide telling you how on a prime time TV show?
Just because there's a possibility that a select few may already know something dangerous that doesn't mean it's morally fine to tell as many people as possible.
For a proficient admin you are correct.
But many of them are not, they are occasional admins who don't check FD on a daily basis. If their machines get owned it impacts ME. OTOH, I can wait a little while, I have things for general mitigation of all threats that work a lot of the time with any attack. Layers you know.
This means I want the vendor to be told first so they have a chance to fix all those other machines before the exploit is on s-kiddy release by every two bit crook who thinks they can make a penny.
OTOH, if the vendor doesn't move quickly, I need to know the exploit so I can put in specific mitigations.
It appears that Tavis Ormandy has done this correctly, because Microsoft were reportedly ignoring him.
Google outed this 2 days ago. So it's not Zero-day, is it.
I wrote my first program at the age of six, and I still can't work out how this website works.
He gave them 2.5 times the time that would be needed to get a fix into all mayor linux repositories. Maybe they wanted to expose how much slower Microsoft reacts to security threats (i.e. how insecure Windows is, compared to Linux and its descendant Chrome OS)
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Don't you know what ZERO-day means? This is a FIVE-day!
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Please don't encourage APK. He posts his hosts file bullshit in every Windows thread in existence.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I have a feeling this isn't the answer you are looking for, but yes.
I also support local public libraries stocking copies of the Anarchist Cookbook. People tend to get overly emotional about this sort of thing, and fail to properly analyze risk.
The kind of people who are mentally unstable enough, and have the drive to carry through a deadly gas attack are also the kind of people who've probably looked it up on the internet already. Teaching your average joe-smoe and his grandmother how to do it likely isn't going to raise the likelyhood of it actually happening. Besides, if you think about it, we already have several "cold case" shows on television that explain in pretty concise detail how to murder a loved one and throw off the police for decades. This is considered good wholesome entertainment by the general public, so why not throw some chemistry into the mix?
Similarly, anyone who interested in other forms of domestic terrorism or mischeive probably already has a copy of the anarchist cookbook, and anyone who pwns windows boxes for fun or a living no doubt already has a dozen and a half tricks up their sleeve.
TFA mentions a single instance of this exploit in the wild, it hardly seems as though this public disclosure has caused a sudden rash of pwn'ings.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
What harm is there in disclosing the website? Especially if it is a FOSS-focused one. That's just wrong.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
I've just found a way of easily opening and starting your Ford using common household tools.
I'd love to tell you how it's done so that you can take measures to protect yourself, but you know, it would be irresponsible of me to give you that information.
No, the responsible thing to do is to let Ford know, secretly, and give them as much time as they need to investigate it and issue a recall to fix the problem. If they feel like admitting to it. And if they don't, I'll keep quiet indefinitely, just in case I'm the only person in the world who can figure it out, ever.
If your Ford gets being stolen in the meantime because someone else figured it out, or already knew, then that's just an acceptable consequence of my responsibility, which is apparently to Ford, the company that created the problem in the first place and profited by selling a defective product, not to you, Ford's customer, the victim.
Fair enough?
If you were blocking sigs, you wouldn't have to read this.
It's incredible (not really) that a tech-related site like Slashdot gets that term wrong over and over again. kdawson, stop fapping to furry porn an get a clue.
Comment removed based on user account deletion
I haven't seen anyone link to Microsoft's temporary fix yet. Essentially you modify the registry to disable the hcp: protocol by deleting the relevant key (they also advise you to export the relevant bit of the registry so you can restore it later, presumably after a real fix is available). Steve Gibson uses the approach of simply renaming the relevant key, although I wonder if that would still be vulnerable to some kind of fuzzing attack. I suppose if you rename it to a key that is really long, it is less likely to be an issue.
One question I haven't fully answered yet is what is actually lost if the hcp: protocol is disabled. The Microsoft advisory says this:
"Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work."
But should I care? Everything I tried in Control Panel seemed to keep working fine. Do they mean if you or some software package put an hcp: link in there? What is there in a default XP install that actually uses hcp: protocol?
In order to believe that Tavis Ormandy is at fault, you have to believe the following:
Based on past history, I would conclude the following:
Had he not gone public, Symantec, Sophos, McAfee and the others would not have added it to their definitions. In point of fact, by disclosing the specific attack profile he made it possible for them to release a protection protocol that much sooner.
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
Lots of people know how to make incredibly toxic gases with household ingredients. Would you then say it's perfectly fine to show a step by step guide telling you how on a prime time TV show?
Yes, of course, absolutely, without question. What possible argument could you make against it? Anyone who wants to hurt people can figure it out on their own. The only effect airing it on TV would have is to make normal people more aware.
Give me Classic Slashdot or give me death!
Microsoft made millions, possibly billions, of XP, but still can't deal with security problems. Instead, let's all point fingers to the guy who made us aware of the threat, just look at how irresponsible he is for warning us! Microsoft on the other hand is big and responsible, why they still give you hundreds of fixes for your lousy system for free, it's not like you bought it expecting functionality and at least a reasonable amount of security. Just don't complain when they decide to stop patching, it's all for your own good.
Hooray for benevolent, responsible Microsoft! Boo for evil, childish hacker!
Analogies don't equal equalities, they are merely somewhat analogous.
An unsubstantiated opinion (if you can call it that) dressed up as a fact.
Analogies don't equal equalities, they are merely somewhat analogous.
Let me explain something to all of you “network admins” who still work out of mom and dad’s house. In the real world 5 days isn’t that long, even for only an initial response. I routinely wait two weeks just to get technical callbacks from companies I want to spend money with. I know it’s not as instantly gratifying as your last FRAG but that is the way things work in the real world (not MTV).
I don’t like the role of Microsoft apologist; and I think Microsoft has some answering to do sense hints of this type of problem have been circulating for a quite while now. However I don’t think most of you even have a clue to the scale and sophistication of the Microsoft security effort. Here is a summary I got from a Microsoft engineer a few years ago.
First they have to reproduce the issue. Then Microsoft contracts 3rd party independent security professionals to rank the significance of each vulnerability. After that they have to debug and code review the existing code to determine if it is vulnerable to more than the original disclosure. Then they need to determine if the problem is a simple buffer overflow or a design problem. If it is a design problem they need to consult with the OS and applications divisions. Then they need to code the fix. After they have a fix they regression test it; not only against their 6 current operating systems and every supported service pack; but against their own huge software library and a massive collection of 3rd party software. That’s right Microsoft tests their updates against 3rd party software to make sure their update does not break your games so you can continue to FRAG your friends. They are not always successful; especially when Google jerks force pre-mature updates but at least they try. Assuming that everything works correctly the first time around; and anyone who has written more than a few line of code knows that that NEVER happens, you have a brand spanking new security update 30 to 90 days later.
I don’t know how complete this is; and from my experience I suspect Microsoft skips some of the steps for certain types of patches but the point is that the processes of re-writing the vulnerable code is actually the quickest and possibly easiest step in the release process.
Think about the MacAfee blunder a few months ago and the millions of dollars companies needed to spend to fix it, and that was just due to a single poorly tested signature update. Last time I remember Microsoft doing something like that was 9 or 10 years ago when they crashed everyone’s exchange server with an OS update.
I’m sure many of you are great coders but that doesn’t give you insight into the world of enterprise development where one mistake can effect 60% of the world’s computers.
If you are testing a door, which is supposed to be secure and determine that there is a flaw which can allow an intruder into the home through some non-obvious bypass mechanism then you have a responsibility to not divulge that information to someone other than your manager/company, and the company that manufactures the door. Putting a 3rd party at risk or the home owner is negligent. It's the same as not only telling criminals how to bypass the door's obvious security, but also creating a special tool to exploit the non-obvious security flaw. If you were a home owner that owned this door then you have an expectation that the door will operate as expected...not prevent intrusion in every possible case! The fact that someone took it upon themselves to expose you and your family to crime by exposing a non-obvious security flaw is....well criminal. Travis Ormandy and Google and Microsoft will probably all get sued if there are real damages that occur. I would even bet that Travis could face criminal charges. Since he didn't allow enough time for the door manufacturer to contact the home owners in order to replace or correct the flaw... I would argue that there is no point in releasing a security flaw, let alone a proof of concept exploit except for Travis Ormandy's own glory...and "look what I found" It's truly sad.
Bullshit. If I find that Company Z's Security doors are easily bypassed by pressing a lever under the bottom edge of the door, I'll tell everyone I know, publish it on the interwebz, report it to the Better Business Bureau, and send reports to law enforcement at the local, state, and federal levels. If I could afford it, I'd hire a skywriter to write the news over every major city, too. Company Z deserves to go bankrupt and be put out of business for selling a door so easily bypassed.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The very fact that this guy still works at Google proves that the disclosure of the exploit came as a job assignment from his employer. Never till now Google looked so terminally bad in my eyes. From "do not evil" to releasing exploits into the wild it's a short path it seems. I won't care about the scumbag that did this personally. What troubles me is that Google acts in a harmful manner to a great deal of it's users. Acting as a hackers organization may be still legal if you're a big enough company as Google is but it's sign about who are we dealing with when we search on the internet.
Full disclosure is ONLY the ethical approach when you're working with a bloated company like Microsoft that cannot make commitments to fix problems. I'm head of QA at a software company and when a security problem is discovered in one of our products it is resolved within days, not weeks because I go to the head developer of the product directly for the fix. Our software is used worldwide and we take security very seriously. Of the security bugs I've handled during my time here that were not discovered internally, only one was reported to us privately and we had a fix in 2 days which was pushed out to customers the day after that build passed QA (4 days total for a fix). The rest were published as zero-day exploits online and got the exact same level of attention and focus, which is fixing it immediately.
During the process I stayed in touch with the person who reported it, providing updates and information about what steps we were taking, and also ensured they got credit for the find. I realize that a product like Windows can't be fixed in that short of a time, but the communication is the most important part of this process and it has to assure the bug reporter that their information is being taken seriously and acted upon. The burden here is on the software company, not on the reporter, because that reporter has to gauge their next move based on whether the developers will act on that information appropriately.
If Tavis tried to get a commitment from Microsoft for a fix and was blown off, good on him for reporting this publicly and getting a fire under their asses.
To the security researchers of the world - PLEASE, give the developers a chance to respond before assuming the worst.
Well, you need to be faster. Much faster. As fast as open-source software. Don't say you can't do it: we can
If this had been reported in open-source software, there wouldn't even be a fix, just a snarky e-mail (about as snarky as your post, actually) saying this was fixed four years ago and telling the user to upgrade. And woohoo, the latest (open-source) version is free! - when you don't count your time to do the upgrade.
Open source software doesn't support 9-year-old codebases; most open-source projects (core developers) only support top-of-trunk and even most open-source vendors (read: those who sell support contracts) only make 3-5 years out.
I've interacted with Microsoft security before. They are quite serious about fixing things, they have standards for what gets fixed on what timeline and they really do follow them, and get back in a REASONABLE amount of time (usually, ~1 week, not 2.5 business days). Generally, they ask whether a bug is being exploited in the wild. If it is, they react fast; if not, they take their time (a thorough investigation, not a rushed investigation), and not the refusal you naively claim.
The problem in parent's logic (and many other self-styled security exports) is assuming that their personal security issue is the single most important issue on the planet and applying scorched-earth tactics to escalate its priority - a sign of megalomania, not of responsible security research. Is a not-in-the-wild exploit more important than an in-the-wild exploit? Is a not-in-the-wild exploit more important than Joe's long-awaited vacation with his kids? Is a not-in-the-wild exploit worth risking breakage due to an unexpected conflict? Your personal answer to all these may be "yes"; it is plain arrogance to force that answer upon everyone else. That's the difference between responsible disclosure and (this Google idiot's) irresponsible disclosure.
A witty [sig] proves nothing. --Voltaire
Your theory as to the rationale behind publication of the exploit is flawed since you can be held as an accomplice to the criminal behavior that results from your release. For example if you know that someone is going to be a a specific place at a particular time and you knowingly release that information to people who are seeking to do harm to that person then you are an accomplice to their "means" and "opportunity", and your "motive" falls under the malicious intent category. Clearly the logic of this situation baffles many people why it would be questionable to release such information, which is obviously for the good of the public...until the public is harmed by it...they Mr. Travis Ormandy is no better than the criminals themselves.
There is no logic to your analogy. In your little scenario, I would be party to a conspiracy. In the case of the insecure security doors, I would be making public the fact that the security door company had been ripping people off. The case of Microsoft's vulnerabilities is very much the same as the manufacturer of the insecure security doors.
So, don't even try to equate consumer education with conspiracy to commit murder. You fail, dismally.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I haven't seen the context of this exploit-discovery-and-release mentioned. Lest we all forget:
http://news.cnet.com/8301-30684_3-20006509-265.html
Google leaks that they're moving away from Windows, cause it's insecure and it's use got them hacked by the Chinese. Microsoft says "Bah! We're more secure than anyone, we rock!". So Google publicly demonstrates evidence to the contrary that proves their point, and makes Microsoft look bizarrely incompetent. Microsoft responds by accusing Google of having the audacity to call their bluff.
I would really like to know who this kind of doublethink hijinks work on. Doesn't Microsoft know that we form our own opinions based on information that we can get anywhere?
--
$tar -xvf
In this case, he did not provide the information to just the car owners. He provided it to everyone, including the car thieves along with detailed instructions on how to open and start the car.
That is why your little story fails.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
RE your sig: http://store.apple.com/us/configure/MC438LL/A?mco=MTgxNTgzODA Looks like GNU and DNF need to get with the program.
Google has never been the target of a DDOS, where hundreds of thousands of infected computers are trying to cause real financial damage to it. I'm pretty sure they never will be, either. So why should they care? By not using Windows internally they are automatically protected against such attacks.
Windows XP is released in dozens of languages with support contracts for all of them
If the regression tests for the American English version of XP don't cover the Brazilian version of XP, then the system is hopelessly broken and the whole thing should be thrown away. Unless the bug involves some string handling function in the locale libraries, it shouldn't be harder to test 15,000 different language releases than it would be to test just one.
Dewey, what part of this looks like authorities should be involved?
For how long now, you've been told Windows is a car wreck waiting to happen, and when it happens, you cry "Woe is me".
Don't be so pathetic. Keep driving a car with no brakes, and sooner or later you'll wish you had stopped driving it.
I switched cars long ago and haven't looked in the rear view mirror since. (How's that for a car analogy?)
soylentnews.org Go there to enjoy the people!
This is some of the most level-headed commentary on this subject so far. Unfortunately, I don't have mod points.
Someone mod up the parent please.
friends don't let friends teleport drunk
So... We should only fix vulnerabilities when they are widely exploited?
Analogies don't equal equalities, they are merely somewhat analogous.
I cannot see any justification for this; I see no attempt in these comments to troll anyone, merely to lay out a viable explanation to support Mr. Ormandy, finishing with a logical summary of the argument. I'm tempted to meta-mod in hopes of correcting this travesty (though having commented, I'm not likely to be given the opportunity). I see this kind of thing far too often. As several sigs point out, -1 disagree does not exist for a very good reason. Moderation is intended to punish those who are deliberately uncivil or abusive with their comments. -1 Troll, -1 Flamebait, and -1 Overrated are not, and never will be, acceptable substitutes.
Oh, I see. Anyone who disagrees with you is either a malware maker, a webmaster that relies on annoying ads, or a fool.
And you're accusing me of ad hominem attacks. That's rich.
Anyway, you're using hosts files for something they're completely unsuited for, and you're arguing in favour of violating the TCP/IP spec to suit your incompatible use case.
I'm unsurprised that Microsoft ignored you, and frankly were I in their place I'd do the same.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Sorry, but what, 3 working days for a fully regression tested fix? Perhaps MS should release an update that " accidentally" breaks google, chrome, firefox, open office, opera and all after five days then say sorry but we we forced to release an untested patch. Google should get rid of this bloke, he's good at finding things but really this is dreadful behaviour. Do you really think your OS of choice could get a fully tested fix out in the time frame MS was given here. Not some basement dweller who says this is the fix, without realising it breaks some major apps. Look at the howls when MS or Apple release an update and someone's (usually malware infected) machine breaks.
HTML beyond really basic stuff is hard to parse. (That's why it took so long to make near-wysiwig editors for it. Our processor/memory specs are just now getting into the ballpark.)
I mean, really hard to parse.
In case I have to spell things out,
R-E-C-U-R-S-I-O-N
for starters. Oh, and
unspecified O-B-J-E-C-T-s. Extensibility.
And, things-that-are-hard-to-parse-are-easy-to-hide-things-that-aren't-supposed-to-be-there-in.
HTML isn't really a bad idea for help documents, but where do you put the walls? Where did Microsoft fail to put the walls?
Shoehorn, whatever, Microsoft was too busy pushing features to take the market over with to build their product responsibly, and they still are.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
NYah Nyah, I can't see you, you can't hurt me!
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
More information to work from.
More flaky interactions to exploit.
Predictability is no substitute for security. It's not even halfway there.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
It was already broken.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Software gets developed for paying customers. I work for a web development company. When the client is waiting and there's money to be made, no effort is spared. Once the app is launched, there's no incentive to update anything, even if its broke - everyone's already started working on the next paying job.
XP is elderly. Vista just plain sucked. Win7 is where the money is - MS's attitude is that if an older product is giving you fits, don't patch it, punt it, and buy something shiny new...
(note that I don't necessarily agree with this approach, it's just 21st century "business ethics")
Ask Me About... The 80's!
i found it self deprecating
Long live the BSD license
Mod this fellow up, he is indeed quite correct.
Ogre Wedding Planners llc.
You know what? Screw it. You'll just sit there insulting anyone who disagrees with you because clearly if someone doesn't agree with your bullshit, they're evil.
Go fuck yourself, APK.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
For your amusement --
I didn't understand either, so I posted a reply to my own post, going into the argument in more depth. The first post ends up with -1 Troll, and the reply with +5 Informative (beginning with Karma boost +1). Here is the moderation history of those two posts:
Comment Moderation
sent by Slashdot Message System on Thursday June 17, @12:05AM
Damning of Ormandy?, posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Overrated (-1).
It is currently scored Normal (0).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Insightful (+1).
It is currently scored Insightful (2).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Interesting (+1).
It is currently scored Interesting (3).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Informative (+1).
It is currently scored Informative (4).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Insightful (+1).
It is currently scored Insightful (5).
Damning of Ormandy?, posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Underrated (+1).
It is currently scored Normal (1).
Damning of Ormandy?, posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Troll (-1).
It is currently scored Troll (0).
Since I've been modded down..., posted to Miscreants Exploit Google-Outed Windows XP Zero-Day, has been moderated Overrated (-1).
It is currently scored Insightful (4).
Now, I will tend to believe that final "Overrated" comment -- the argument is obvious and really not that "Insightful", but, the WEIRD is the first comment was moderated "Overrated" immediately, and it hadn't been rated yet.
+2, Overrated, Underrated, Troll. Now, "Troll" is good for eliminating a post, because that causes a lot of readers to assign a -1 penalty. So, this comment apparently struck a nerve with several people, and I have no clue why. Like I said in my "self-reply", I don't get it. I wouldn't change the post, even if I knew why -- I believe in the argument. I just want some insight into the thinking that went into those moderations.
Still, I actually think the /. moderation system is a "good thing" (tm). But maybe something like a "Spend some Karma to send a message to the moderator" feature might be nice. I don't want to KNOW who the moderator is, but being able to engage a dialog "off-side" (send a message to the moderator, without knowing who it is, being able to engage an email exchange) may be nice. Maybe it should cost some Karma points (2,3,5?) to do so?
I've been mulling this over the past day.
Just another "Cubible(sic) Joe" 2 17 3061
I did note the initial state of your self reply, but I still couldn't comprehend the justification concerning your original post. At least the Mods didn't penalize me for calling them out (particularly considering my relatively high UID). I do agree with your opinion on the moderation system; I was merely objecting to the abuse of the system, not that many mods will likely see it, considering the lateness of my reply. Even if my post is little read, hopefully it affects the few who actually do read it to be more careful. Fortunately, I did not immediately dismiss your thoughts just because they had been unfairly criticized. And thanks for the history of the moderation.
Minor correction; the state of your self reply was +5 when I replied. I'm not sure why I wrote initial in place of that.
A lot of points in your linked post are completely irrelevant. "A large file reads slower than a smaller one". Holy crap, REALLY?!? I also note that your testimonial is from a user who says they "no longer get 100-200 viruses a month, now lucky to get 1-2 viruses". Seriously, if you even get 1 virus a month, you're an idiot that shouldn't even own a computer. I see you also claim a hosts file consumes no CPU. This is simply not true. Parsing the damn thing on every DNS resolution does indeed consume CPU resources (amazingly enough!) And I see that every time he brought up the fact that using "0" as an IP address is a violation of the IPv4 standard, all you can say is essentially "but", and then accuse him of being a malware writer, because he advocates following standards - which any developer should be advocating. Personally, I feel standards should always be followed as well. Look at the last time someone ignored them - it got us 10 years of Internet Explorer 6.
Just so that you have nothing to fuel your ad hominem attacks, I've deliberately avoided insulting you in this post. I've even reduced the profanities to make it more difficult for you. Woohoo! Go hard!
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Out of sheer boredom, I decided to reply to your points, since they're all very easy to do so. Fucked if I know where though, I'm sure it's around somewhere.
Oh shit, you're pretending not to be APK. Sorry about that... you didn't need that cover did you?
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".