Slashdot Mirror
Miscreants Exploit Google-Outed Windows XP Zero-Day
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.
Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.
All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.
How we know is more important than what we know.
Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software.
Ballmer should be able to spin that into a win: "To be safe, all XP users are advised to avoid open source software stuff. It has viruses."
A security flaw being exploited, via the Internet no less ! I am shocked and outraged ! /s
The bad guys have been using the flaw for years.. it's just the bottom feeders who are allowed by the cartel to have a go now.
5 days is more than enough time for Microsoft to release a hotfix and disable the vulnerable code.
How we know is more important than what we know.
Google is supposed to learn morals from Microsoft and its toadies?
According to this tweet: http://twitter.com/taviso/status/16005411316 Those 5 days were spent trying to negotiate a fix within 60 days. So much for the 'he only gave them 5 days!' arguments.
A day that will live in Ormandy.
This is a question that should really be asked of Microsoft
Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.
He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?
If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?
Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.
Begging the question: was it Slashdot?
[/humor]
I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).
I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.
Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.
I.O.U One Sig.
The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit. I don't think anybody really believes that he'd report it then release it in that kind of a time span if there wasn't more going on than just that. 60 days is more than enough time for MS to release a proper fix, but the reality is that MS does sit on bug fixes because they can't or won't spend the time to take it seriously.
Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.
-- these are only opinions and they might not be mine.
Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.
Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.
Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.
So you can disable that service and be at east that nothing is going to happen to you or your users.
BUYER be Aware. Is that enough said? Oh well it will make some more time for the MS admins out there. I wonder if they don't just leave this crap out there to continue to support their partners? I have over ten years on Linux as mostly a home user. I guess it is a case of "Stupid is as Stupid does". Peace Yall.
Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.
I do believe this proves otherwise. What was a previously unknown bug, not being exploited has now turned into machines getting exploited, and it took what? Less than a day? Full disclosure is irresponsible.
My understanding is that Firefox disables hcp:// by default:
network.protocol-handler.external.hcp = false
And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.
Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.
Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
I wouldn't have been surprised if it was actually one of the ad servers the site uses.
If the antivirus reported suspicious activity that wasn't stopped, then UAC alone saved you. It is not the first time that the AV fails to "detect" malicious use of scripts, since it has no AI; just authenticating to allow UAC to run the command would have been enough to start the true system-rooting process which may or may not be blocked by the AV depending on what executables are chained to cmd.exe's work.
It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant statements I've ever seen.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
It only seems contradictory for people who don't understand the meaning and implication of true full disclosure. Everyone else understands how security through obscurity rips of the consumers and transparency is the only thing that allows users to have the information they need to make optimal decisions about what software to buy.
Google could probably release an exploit like this every day if they wanted to - or ten of them. They index the Internet, and that includes the nasty corners where such things are as common as rude pictures on 4chan. Why should they care? They don't use Windows internally any more.
Help stamp out iliturcy.
I'm not sure the analogy is a good one.
This isn't cars (sorry), but this is how I see it: if your city tap water was discovered to have a high amount of lead in it in the latest round of tests, what would you do? Tell everyone "Hey, there's probably lead in your water, you should make sure you filter it or use bottled water for the next week until we get our filtration systems fixed." or do you wait a month and test the systems again and see if there is still lead before issuing a statement?
The only people that get hurt by the early information are ones that aren't paying attention to the big orange fliers left in the mailbox (or ones that simply don't care). But potentially lots of people can get hurt if you tell no one. I think I would opt for early information. Maybe people would have to scramble a bit at first, but they'll get over it, I'm tired of our society putting off problems until further down the road when it becomes the 800 lb gorilla, with bigger consequences and now impossible to ignore.
And I really don't understand why, I'll quote the article
"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."
So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?
Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).
Just another "Cubible(sic) Joe" 2 17 3061
I've just found a way of easily opening and starting your Ford using common household tools.
I'd love to tell you how it's done so that you can take measures to protect yourself, but you know, it would be irresponsible of me to give you that information.
No, the responsible thing to do is to let Ford know, secretly, and give them as much time as they need to investigate it and issue a recall to fix the problem. If they feel like admitting to it. And if they don't, I'll keep quiet indefinitely, just in case I'm the only person in the world who can figure it out, ever.
If your Ford gets being stolen in the meantime because someone else figured it out, or already knew, then that's just an acceptable consequence of my responsibility, which is apparently to Ford, the company that created the problem in the first place and profited by selling a defective product, not to you, Ford's customer, the victim.
Fair enough?
If you were blocking sigs, you wouldn't have to read this.
I haven't seen anyone link to Microsoft's temporary fix yet. Essentially you modify the registry to disable the hcp: protocol by deleting the relevant key (they also advise you to export the relevant bit of the registry so you can restore it later, presumably after a real fix is available). Steve Gibson uses the approach of simply renaming the relevant key, although I wonder if that would still be vulnerable to some kind of fuzzing attack. I suppose if you rename it to a key that is really long, it is less likely to be an issue.
One question I haven't fully answered yet is what is actually lost if the hcp: protocol is disabled. The Microsoft advisory says this:
"Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work."
But should I care? Everything I tried in Control Panel seemed to keep working fine. Do they mean if you or some software package put an hcp: link in there? What is there in a default XP install that actually uses hcp: protocol?
I haven't seen the context of this exploit-discovery-and-release mentioned. Lest we all forget:
http://news.cnet.com/8301-30684_3-20006509-265.html
Google leaks that they're moving away from Windows, cause it's insecure and it's use got them hacked by the Chinese. Microsoft says "Bah! We're more secure than anyone, we rock!". So Google publicly demonstrates evidence to the contrary that proves their point, and makes Microsoft look bizarrely incompetent. Microsoft responds by accusing Google of having the audacity to call their bluff.
I would really like to know who this kind of doublethink hijinks work on. Doesn't Microsoft know that we form our own opinions based on information that we can get anywhere?
--
$tar -xvf
Windows XP is released in dozens of languages with support contracts for all of them
If the regression tests for the American English version of XP don't cover the Brazilian version of XP, then the system is hopelessly broken and the whole thing should be thrown away. Unless the bug involves some string handling function in the locale libraries, it shouldn't be harder to test 15,000 different language releases than it would be to test just one.
Dewey, what part of this looks like authorities should be involved?