Microsoft Has No Plans To Patch New Flaw

Trailrunner7 writes "Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

Possible mitigation?

[Khyber]

Couldn't they just start making driver signatures verify with the hardware they support instead of the OS? Screw the OS saying whether or not it's legit, does the actual hardware it's meant for say it's legit code?

Re:Possible mitigation?

[beelsebob]

Yes, that's working out really well for Motorola's publicity department with the Droid X just now.

Re:Possible mitigation?

[Khyber]

There is a small difference to note, however; One is addressing an entire hardware set (motorola) the other is using code from a piece of hardware (is it a sound card/network driver certificate that got jacked?)

Actually, bad example. let me see what my medicated brain can re-think.

It's more like this, Motorola is stopping you from using hardware you purchased in a manner you wish with a hardware security check, where on the other hand, someone usurped a certificate from Realtek and used that to bypass security checks in a software-based system.

To prevent such an attack, I'd force those certificates to authenticate with the particular hardware. If the certificate came from the sound card drivers, the ENTIRE code should be authenticated by the sound card. Not sound card code behind that certificate? Denied.

Re:Possible mitigation?

[Drew+M.]

Did you even read the summary? Realtek's signing keys were stolen. That's why Verisign revoked them. Putting the verification keys in hardware wouldn't fix this issue.

Re:Possible mitigation?

[GNUALMAFUERTE]

Excellent idea. In that way, when companies refuse to develop free drivers for GNU/Linux, we won't be able to make our own because the hardware will reject them. And all of that just because microsoft refuses to make a secure operating system because they want to keep users buying new versions, antivirus software, etc. And because the users refuse to switch to an operating system that works.

Brilliant idea.

Re:Possible mitigation?

[Arainach]

That eliminates the possibility to revoke a certificate if one is comprimised. Also, it leads to situations like the TI calculator incident, which Slashdot seems to hate.

Re:Possible mitigation?

[RCL]

I don't like security news precisely because they result in such overreactions like yours one.

We should not care about security too much. Security is the opposite of freedom, and by concentrating our efforts on security we may end up with completely locked environment.

It's better to tolerate certain threshold of hijacked/owned computers than to require hardware verify the software.

Re:Possible mitigation?

[PopeRatzo]

let me see what my medicated brain can re-think.

Did you bring enough to share with the whole class?

Re:Possible mitigation?

[drsmithy]

And all of that just because microsoft refuses to make a secure operating system [...]

Can you outline what features and capabilities of a "secure operating system" are missing from Windows ?

Re:Possible mitigation?

[AusIV]

If anything, it would make things worse because they'd be harder to revoke.

Re:Possible mitigation?

[westlake]

And because the users refuse to switch to an operating system that works.

The number of PC users is about 1 to 1.2 billion, based on most estimates I've seen. That would put the number of Windows users at 900 million to 1 billion, at all skill levels.

I will take that as pretty strong evidence that the Windows OS works just fine for those who use it.

In that way, when companies refuse to develop free drivers for GNU/Linux, we won't be able to make our own because the hardware will reject them.

I suspect that signed drivers are inevitable, whatever your platform.

Re:Possible mitigation?

[Galactic+Dominator]

So unsigned drivers cause rape?

That is the fattest straw man I've ever seen.

Re:Possible mitigation?

[mcgrew]

The number of PC users is about 1 to 1.2 billion, based on most estimates I've seen. That would put the number of Windows users at 900 million to 1 billion, at all skill levels. I will take that as pretty strong evidence that the Windows OS works just fine for those who use it.

I don't think I've ever met a non-nerd that even knows what an OS is. When I tell people there's a free replacement for Windows that doesn't get viruses, their jaws drop; they have no clue. Windows came with their computer and it's all they know.

If you've never seen an automobile, you would say that your horse works just fine for transportation, too.

Re:Possible mitigation?

[drsmithy]

Why is this modded Troll?

Because it's a troll. Much like the Slashdot headline and summary.

drsmithy has always shown wilful ignorance of Microsoft's flaws.

I frequently ask the question, yes. But (as has happened again) the responses rarely get any more advanced than "hurr, durr, viruses malware Micro$oft LOLz".

As far as what's lacking from Microsoft's security model, managed software repositories and good updating systems are the most obvious lacks.

Both are present in their security _model_. For what are hopefully obvious reasons, Microsoft can't be the sole provider of software in unmanaged environments (ie: individual end-user systems). For the software they do provide, they have "software repositories" and "updating systems".

In addition, Microsoft's need to leverage it's existing software stack means anyone who actually uses Windows instead of just ticking off feature lists will inevitably have to bypass or disable most of the recent security features.

For example ?

With the virtualisation tech they've bought, they had the opportunity to build an effective sandbox, but chose not to.

Probably because they have vastly more interest in catering to their customer's demands for transparently functioning legacy support (despite common Slashdot mythos).

Interestingly, about the only mainstream example of a common application actually being sandboxed in a standard configuration is on Windows - Internet Explorer.

I'll ask again: what features and capabilities are missing from Windows that make it insecure. Ie: if they were implemented, all (or even most) of the "security problems" Windows has would disappear overnight (or at least within a short period of time). If you'd like to expand that to identify security problems that are _only_ present on Windows, with a technical overview as to why (ie: what security features and capabilities are lacking that make them possible), that would also be very interesting.

Source?

[Arainach]

I know Slashdot's editorial standards have dropped, especially when it comes to Anti-Microsoft articles, but there is no link here to any article that claims Microsoft has no plans to patch the flaw. Do we even have editors anymore?

Re:Source?

[Arainach]

That's from their Anti-Malware team talking about how they detect it. Nowhere does it say that they have no plans to fix the bug.

Re:Source?

[alexhs]

there is no link here to any article that claims Microsoft has no plans to patch the flaw.

To be fair the summary states

it has no plans to patch the flaw right now

Which is in the 2nd link actually.

Microsoft said it is investigating the flaw and looking at possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.

Well, from that quote to the summary, there is quite a stretch, but what did you expect ?

Re:Source?

[complacence]

Here's a picture of a pony:
http://babybird.files.wordpress.com/2009/08/pony.jpg

What are you trying to do here? There still is no outright refusal to fix this.

Instead it says:

We will continue to investigate the vulnerability and, upon completion of that investigation, we will take appropriate action to protect our customers.

Re:Source?

[jesset77]

Here's a picture of a pony: http://babybird.files.wordpress.com/2009/08/pony.jpg [wordpress.com]

Gah, whyfor are things (badly) photoshopped out of the left and right sides of that image?

Stalin, is that you?

Re:Was there a point to this?

it's hardly an OS problem if some wanker has written a nasty driver then signed it with a legit cert
dam i consider most of my linux wifi driver malicious

Re:Was there a point to this?

[0123456]

it's hardly an OS problem if some wanker has written a nasty driver then signed it with a legit cert

I somewhat disagree: it clearly shows the flaws in an either/or trust model of that kind. Either it's signed and it's trusted to do anything at all to your system or it's not trusted to do anything at all... you only need one rogue signing key to break that model.

Careful with that idea...

[Trerro]

The ATI video card I have fails hard on XP64, so I got a driver some random guy that has nothing to do with ATI made instead, and it works great. If I were stuck using only drivers that were ATI-approved, I'd be majorly SoL.

I'm all for having the hardware verify that the driver actually is a valid driver for the hardware in question, just make sure that's ALL it does, or we'll lose the ability to use someone's hack to force a piece of hardware to work.

Re:Careful with that idea...

[X0563511]

Welcome to the world of ATI-Fail. Enjoy your stay

Re:Was there a point to this?

[TheRaven64]

Do you propose a better model? How about the Linux model, where if the user decides to load it then it can do absolutely anything with the system? Of course, it would be great to be able to run drivers in unprivileged mode, but until we have an IOMMU in every system that won't actually buy any security (a malicious driver can just tell the device to DMA random data from anywhere in physical memory to the device and then back to the driver's address space, or data from the driver's address space into another process's).

Re:Was there a point to this?

[0123456]

Do you propose a better model?

Yes, don't trust anything unless you absolutely have to. In user land, for example, we have SELinux and Apparmor to prevent applications from accessing things they shouldn't; protecting the kernel is obviously harder.

How about the Linux model, where if the user decides to load it then it can do absolutely anything with the system?

Generally speaking, Linux drivers are only installed if signed by the distro repository, and you have to trust that key: if it's compromised you're toast. Windows has three bazillion drivers signed by three bazillion keys and only one needs to be compromised.

Nor will Linux drivers be loaded automatically from a random USB key just because you browsed there.

Re:Was there a point to this?

[dupeisdead]

Reading the referencing articles and Microsoft's sites... They're not refusing to fix it. They said they're investigating and there's no plans to release an immediate fix. At best, this could summary could be stretched to "urgent 0day attack vector that Microsoft hasn't released a fix for". I wish there was a way to rate articles as flamebait. Somedays Slashdot is just like playing the "Telephone Game". sigh!

Who fault is it?

[KlomDark]

I think Microsoft is right on this issue. This problem is truly not theirs, except for the amount it negatively affects them. (Which they can do little except attempt spin control on the issue.)

They designed their driver verification process intelligently: By implementing the requirement of the drivers being signed by an appropriate third-party certificate registrar (VeriSign in this case), thus leaving the issue of managing the business of encryption keys to the established so-called "experts".

Part of the process of obtaining a trusted VeriSign cert such as the device driver key involves the company desiring a high-trust certificate of this nature involves signing and complying with a detailed set of procedures describing the physical/organizational processes how to handle and store the signed keys in a very secure and documented "chain of trust".

In the case where the security chain was broken by a (previously) trusted third party, in this case we'll probably find that RealTek is the cause of the issue by not properly following the chain of trust requirements, or how else would a rogue employee be able to sign his malicious driver?

<CoolStoryBro
A decade ago, I was a systems engineer for the internet banking division of a large bank that owned a bunch of other regional banks, and I was a "primary key custodian" (A defined role in the chain of trust requirements), so I was the one who would handle the technical details as far as getting the cert created and installing it on the web banking servers. (Just SSL certs rather than driver signing certs, but at the core they're the exact same thing.)

The amount of procedural rigamorole for handling the certs was complex, and well thought-out. I would create our private key in front of a few handpicked suits from corporate and data security who would observe me as I created our unsigned private key, then I would look away while one of the security people entered a complex password that I was not allowed to know, then I would get the cert signed by VeriSign which would require the security guy to re-enter the password that I did not know, then we would get the certs back, print out several copies, seal them in an envelope, all of us would sign it and take it to a safety deposit box. The security guys were not allowed to have a copy of the unsigned private key, and I was not allowed to know the password to the VeriSign-signed (VeriSigned?) key.

[And it's been 10 years since I worked there, and the certs were only one-year certs (renewed each year going through the same type of process), so don't come try to hold me hostage for any info about the bank, my info expired 9 years ago! :) ]
</CoolStoryBro

So it looks like RealTek may have dropped the ball on their cert handling procedures. Maybe VeriSign was lacking in their process auditing as well. Who knows? (I don't)

But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign, but would be devastating to online commerce as VeriSign has a near monopoly on the certificate registry market, so encryption would suddenly stop working on nearly all online businesses overnight. // But the bright side: All those sites would still work in the morning on Linux, giving it a huge boost! :) /// But on the dark side: All those sites would still work in the morning on Macs as well, giving the idiocracy movement a huge boost as well. :(

Re:Who fault is it?

[10101001+10101001]

The flaw that isn't going to be fixed "in the near future" is the "if a shortcut's icon is shown in Windows Explorer, then automatic execution of malicious code may occur" (perhap's this is some sort of buffer overflow in the icon parameter reader?). The best workaround? Disable the display of icons for shortcuts. Attack vectors? WebDAV, USB sticks, and LAN shares mostly. To that end, I'd imagine Microsoft is directly at risk given they likely have multiple rather huge LAN and it's already been demonstrated that at least some hackers are specifically targeting organizations (RealTek, for one). How much do you think Microsoft's source code is worth?

Re:Who fault is it?

[causality]

But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

Do you have any familiarity whatsoever with this situation?

Windows has an acknowledged flaw/vunlerability related to its handling of .lnk files (shortcuts). That flaw is being exploited to install this malicious driver. The problem has been greatly compounded by the fact that the driver is signed by a previously-trusted private key, but this is not the original flaw. Normally the act of merely plugging in a USB thumbdrive does not immediately install system software such as device drivers. It is that acknowledged .lnk flaw that makes this possible.

If you can install a hardware driver with an exploit, you can also install a worm, rootkit, etc. This attack happens to install a device driver. If Realtek's private key had never been compromised, then instead of installing a malicious device driver, you'd have Windows users plugging in infected USB thumbdrives and immediately becoming members of botnets. The flaw is in the Windows system and its handling of shortcut files.

It is that flaw and only that flaw for which Microsoft is being blamed.

I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign

Why would they do that when Verisign can revoke only this specific Realtek cert? In fact that's exactly what they have done.

Seriously. Did you even bother to read the summary? At all? I'll quote it for you. This is the summary, verbatim:

"Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

Emphasis is mine. Now go clean the egg off your face.

Re:goodie the certificate is revoked!!

[butlerm]

In this case, I think the question is whether Windows checks the certificate revocation lists. It is a code signature, nothing to do with the browser per se.

Working as intended?

[goodmanj]

I'm not Windows expert, but isn't this exactly the way the certificate system is supposed to operate? This sounds like a security success story, not a failure.

Driver needs certificate to work with OS. Driver is found to contain security flaw. Certificate is revoked, OS refuses to recognize driver, security hole is closed. Now driver manufacturer has to clean up their act before their drivers are allowed back in the house.

The headline reads "Microsoft has no plans to patch new flaw", but isn't the certificate revocation at least as good as a patch? More so, because it seals off any *other* undiscovered bugs in the driver? Or am I missing something?

Re:Working as intended?

[causality]

I'm not Windows expert, but isn't this exactly the way the certificate system is supposed to operate? This sounds like a security success story, not a failure.

Driver needs certificate to work with OS. Driver is found to contain security flaw. Certificate is revoked, OS refuses to recognize driver, security hole is closed. Now driver manufacturer has to clean up their act before their drivers are allowed back in the house.

The headline reads "Microsoft has no plans to patch new flaw", but isn't the certificate revocation at least as good as a patch? More so, because it seals off any *other* undiscovered bugs in the driver? Or am I missing something?

Please see this post where I correct a similar false notion. Then, please berate your teachers for failing to transmit basic reading comprehension skills to you. Hint: the signed malicious device driver is incidental and is not the flaw that Microsoft may or may not patch.

Sorry for the tone but I just don't see what part of this is difficult to understand.

Re:Was there a point to this?

[rawler]

Generally speaking, Linux drivers are only installed if signed by the distro repository

Actually, for most distros, "drivers" (code executed as root, which is the main barrier in a Linux-system) are installed if they're signed by _any_ key in the keyring, including 3:d-party repositories.

Many people add 3:d party repositories to access newer versions of various packages, or packages not included in the distro, significantly increasing the attack vector. If you manage to get a hold of a key for any of those repository-signers, you pretty much have root-access to thousands-millions of users.

One of the things Linux distributions must really rethink is the concept of 3d-party software, and how it can be integrated and allowed more safely than it is today.

One concept could be special repository-system for 3:d-party packages, chrooted to separate container, and not allowed to execute any scripts during installation (or allowed, but at non-root privileges). Another idea could be per-user installs of 3d-party apps that installs to $HOME/.local or similar, and never root.

Re:Colatteral Damage?

[xous]

Are you serious? How the fuck did this get modded insightful. Why the hell would this affect products based off a Linux kernel that does not verify any drivers. Secondly who would build a serious firewall on Realtek hardware? They are notoriously problematic and unreliable.

Re:Certificate revoked

[arth1]

The certificate was revoked.

Does it mean I need to update my drivers from Realtek, otherwise it spits them out?

No. Windows' security model only checks the certificate during install.

And even so, it doesn't update the revocation list automatically on install, nor does it check with OCSP; you won't get the revocation certificate unless you specifically install "Root certificate updates" through Microsoft Update, which is usually is found on the "optional" installs. So chances are that a lot of people will be able to install this malware in the future too.

Re:Certificate revoked

[mosschops]

Windows' security model only checks the certificate during install.

64-bit versions of Vista and Windows 7 require a valid Class 3 code signing certificate to load the driver, not just on installation. Revoking that certificate will stop the devices from working, as the parent poster suspected. Though it may not be the same certificate for all Realtek uses.

Where did 'no plans to patch' come from?

[mysidia]

The article doesn't say it, and at no time was Microsoft reported as saying there were no plans to patch this bug.

Just because you are unaware of them reporting they will release a patch does not mean they have no plan to patch it.

They have offered workarounds and appear to be treating this seriously.

Just because it's the weekend and they haven't told you there will be a patch available monday DOES NOT mean they are ignoring or refusing to work on patching this.

You just proved his point

[Sycraft-fu]

See to secure against that, to truly secure against it, he'd have to lose all freedom. Children are soft targets, the only way to keep them secure from kidnapping is to have them under guard 24/7. Keep your kids in a locked compound with armed, trusted, guards and they could be secure (though even that could be overcome). If you want them to live a normal life, well there are risks.

So your complete and total paranoia bullshit actually proves the GP's point: Getting too paranoid about security is stupid. In the real world, there's no such thing as perfect security. If you think there is you are lying only to yourself. As such you want to design your security for two things:

1) Good enough to stop the attacks you are likely to face. You don't want to get all crazy and speculate on shit you aren't likely to see. You aren't guarding nuclear secrets, secure your house accordingly. Have it good enough, not stupidly overboard.

2) Relaxed enough you don't screw over your life. Living in a continual state of locked down paranoia and denying yourself everything because of supposed risks is no way to live. You want your security so it doesn't harm your ability to enjoy a normal life.

Also if you are dealing with someone deranged enough to try and stalk you to this degree, they needn't get in your computer to do it. You think you are safe? Not hardly. I hire a competent private investigator, they'll track you down, no breaking in to your computer needed.

You either need to be way less dramatic, get a sense of perspective, or get professional help. Maybe all three.

Re:So no then

[euphemistic]

How about this for what is missing: an attempt to fix a (now very publically known) flaw in a somewhat timely manner.

Re:So no then

[SharpFang]

And that's the essential difference. Linux had many flaws, and all were fixed in a timely manner, acknowledged and corrected. Correcting them might have been a pain in the ass but it was always possible. Which is not the case here. The flaw exists but it's rooted so deeply in the design that removing it without a major overhaul and breaking lots of compatibility is impossible. Insecure is not a system that has flaws, but one that has flaws that can't be fixed within current framework.