Miscreants Exploit Google-Outed Windows XP Zero-Day

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

Dear Microsoft

[QuantumG]

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

Re:Dear Microsoft

[Entrope]

Microsoft's negligent, lazy approach to closing security holes bit Google hard. Google is now letting Microsoft feel some of the pain. I hope that responsible journalists won't judge full disclosure solely by vendor-dictated rules -- when a software vendor has a history of problems, the spotlight should be on them, not on the people who report them.

Re:Dear Microsoft

[hedwards]

That's the thing MS cries and whines whenever they're outed for being insecure, but when they aren't it seems to take an interminable period of time for them to actually patch the bug. Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents. They still expect to be able to hold onto fixes until patch Tuesday and hope that nobody notices till then.

Re:Dear Microsoft

[hedwards]

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

Re:Dear Microsoft

[hedwards]

Whether it's their idea or not, it's a horrible idea. Patches should be released as soon as they're finish, as in finished and received reasonable review. Holding back patches for known flaws is ultimately irresponsible behavior. If a corporation doesn't want to do so constantly, then so be it, give them a tool to do it in that fashion. But as is it's terribly irresponsible.

Given the prevalence of bots in corporate networks, perhaps they shouldn't be given that kind of pull over the security of everybody else.

Re:Dear Microsoft

[pyrbrand]

You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'

As far as pushing this to users automatically, people get angry when you break shit without asking them.

Re:Dear Microsoft

[cbiltcliffe]

But that's their choice.
If everybody else wants to be secure, they can be, and to hell with the whiney "we can't do this more than once a month, because we're incompetent" corporations. Those corporations can queue updates themselves, if they want. Everything released in the last month gets tested.

Everybody else should have the option of installing the updates as soon as they're finished.

But, as usual, the security-idiot blowhards get to dictate policy for the rest of the world.

Re:Dear Microsoft

[recoiledsnake]

The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately. Hence it's better to release the patch es as a bundle on a single day.

Re:Dear Microsoft

[guruevi]

Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.

Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.

Re:Dear Microsoft

[Your.Master]

That's not at all what happened. What happened was:

Tavis: "I found a critical flaw, will you fix it in 60 days?"
Microsoft: "Hmm, we'll take a look and get back to you with a timetable on Friday"
Tavis: "Not good enough". Released to the wild.

Cite: TFA.

Re:Dear Microsoft

[rtfa-troll]

Cite: TFA.

Except you're lying. TFA, which I've actually read, has only this to say :

"I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"

Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"

Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.

So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.

Nice quote.

[ArbitraryDescriptor]

Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software.

Ballmer should be able to spin that into a win: "To be safe, all XP users are advised to avoid open source software stuff. It has viruses."

JUNE 15th...

[mbeckman]

A day that will live in Ormandy.

The elephant in the room

[Ironchew]

Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.

Begging the question: was it Slashdot?
[/humor]

Re:The elephant in the room

[dangitman]

Begging the question: was it Slashdot?

No, it was a site dedicated to open source software, not poorly edited sensationalistic articles and tired jokes.

hcp protocol

[shird]

I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).

I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.

Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.

Re:The bad guys thank you Tavis.

[hedwards]

Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit. I don't think anybody really believes that he'd report it then release it in that kind of a time span if there wasn't more going on than just that. 60 days is more than enough time for MS to release a proper fix, but the reality is that MS does sit on bug fixes because they can't or won't spend the time to take it seriously.

NOT zero day attack.

[slashkitty]

This is a 5 day attack. MS had 5 days warning... and maybe a few more before others were exploiting it.

Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.

Ormandy did excercise responsible disclosure

[Todd+Knarr]

Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

Re:Ormandy did excercise responsible disclosure

[drinkypoo]

So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS

This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.

Had he kept his mouth shut, your systems would be safer.

No, they would seem safer, but be less safe.

Re:Ormandy did excercise responsible disclosure

[Todd+Knarr]

Yes, Microsoft's rules for "responsible disclosure" are undoubtably "Don't mention this to anybody. Ideally including us. Just shut up and ignore the problem.". But that's not the definition of responsible disclosure the rest of us use, and Microsoft isn't the one who sets the rules for the rest of us. Unless Microsoft can pull out a signed contract where Ormandy agreed to abide by their rules, and I doubt they can.

Re:5 days spent trying to get a fix within 60 days

[shird]

I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225

From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."

For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx

Re:The bad guys thank you Tavis.

[sohp]

Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.

Re:Microsoft: are you pleased with yourself?

[Todd+Knarr]

Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.

Services.msc, use it!

[jack2000]

HA help and support center, i've had that service disabled since i installed this thing long ago! If you try to run anything with the hcp protocol it flatout tells you:

Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.

So you can disable that service and be at east that nothing is going to happen to you or your users.

Bullshit

Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.

Re:Bullshit

[poetmatt]

its still not a zero day exploit, and if MS felt it was critical they could have devoted teams to take care of it. MS of all companies certainly doesn't have an absence of programming talent.

So far, they sure are silent, aren't they.

Re:Bullshit

[Anpheus]

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

Even Red Hat won't release a patch in 5 days without regression testing all the affected builds. Not only that, but he decided that during the weekend before patch Tuesday.

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Re:Bullshit

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Yes. Yes there is. Remember, this is Microsoft. If they actually cared, they could release a patch in hours, not days. But it isn't that high of a priority. With FOSS Software, it is often a part time project. But time is still made to fix bugs. On the other hand, Microsoft has definitely has the resources to deal with this. Normally however, they don't need to. Microsoft will just sit on bugs because it doesn't become their top priority as soon as it is verified, like such a bug should. Once on the general Web though, it does. I, for one, support full and immediate disclosure for this reason. Remember, just because Ormandy was the first to publish the vulnerability, doesn't mean he was the first to discover it, TYVM.

One other reminder from a helpful coward; Security through Obscurity, is no security at all.

A.C.

Re:Bullshit

[victorhooi]

heya,

Gosh, I love it how people here love to applaud Microsoft on their *spectacular* security record, and demonise all those who would dare to challenge that.

Please, Google already got bitten with Microsoft's shonky products and poor security in the past, my guess is that Google/Ormandy felt that they were already at risk from this exploit from malicious people in the wild, so they might as well get it out there, so that at least people could be aware of it. It's a public service, for crying out loud.

Remember, just because Ormandy was the first to publicise the exploit, certainly doesn't mean that he was the first to find it. In fact, statistically, the odds are stacked quite against that. Look, full-disclosure has already been proven to be the method that works. And shonky vendors, who are too lazy to look after their users will try and demonise full-disclosure all they like, but at the end of the day, it just looks like them covering their behinds.

You can come out and be a stupid little prat and insult Ormandy all you want, but at the end of the day, you've done...err...squat? I don't remember seeing any security disclosures published by "hairyfeet". Compare to him, and other security researches, I have a feeling both you and I know squat all. I certainly couldn't have found the exploit, even if I was looking.

At least this way, people *know* about the exploit, and it's visible. Better the devil you know, than the one you don't, and all that. Look, if your computer got hit with a drive-by-exploit, and you *didn't* know about about it, are you honestly telling me you'd be happier? You should be thanking security researchers like this, who shine a light on the swiss cheese that is Microsoft's security (yes, this is Windows XP, so perhaps things have improved. I'm not in a position to comment).

Cheers,
Victor

Re:Bullshit

[Mr.+Freeman]

"And he expects them to drop everything just to deal with him?"

Of course not. He expects them to fix their software. There's a difference. It's not his fault there's a fucking bug. Microsoft doesn't have to deal with "him". They just have to deal with their software.

Re:Bullshit

[Patch86]

Last I heard, XP still had about 60% market share to Win7's 10%. I'd say that should dictate where their priorities are, seeing as that is where all their customers are.

(Oblig.). If Ford had sold 1 million Focus's which are now being driven, but have now released a new version and sold only a few thousand, which one should be the safety priority? The new one (should have upgraded, you jerks!), or the one which is most used on the road?

Re:Bullshit

[drsmithy]

In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

How is using HTML for documentation "shoehorning" ? A help system is pretty much a textbook example of where hyperlinking is a good idea.

Re:This is classic Tavis.

[Sir_Lewk]

You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.

Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.

Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.

Re:The bad guys thank you Tavis.

[QuantGuy]

There are a lot of "go-to" commentators that the press goes to for supposed insights about security. Graham is one of them. He's a smart guy, but also one of the worst carnival-barkers in the industry; always chasing stories. Here are a few classics:

• On Bluetooth phone viruses, apparently the next big thing in malware (2004): "If you don't know about bluejacking these messages can be quite a shock" (2004)
• On the groundswell of Mac malware: "This means two real viruses have emerged for the Mac OS X platform in less than a week. The question on everyone's lips is - when will we see the next one, and will it have a more malicious payload?" (2006)
• On "naming and shaming" (his words) countries from whose IP address space spam appears to emanate: "A new dirty 'gang of four' - South Korea, Brazil, India and their ringleader USA - account for over 30% of all the spam relayed by hacked computers around the globe." (2010)

It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.

Since I've been modded down...

[ratboy666]

And I really don't understand why, I'll quote the article

"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."

So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?

Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.

In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.

Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).