Microsoft Has No Plans To Patch New Flaw

Trailrunner7 writes "Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

Source?

[Arainach]

I know Slashdot's editorial standards have dropped, especially when it comes to Anti-Microsoft articles, but there is no link here to any article that claims Microsoft has no plans to patch the flaw. Do we even have editors anymore?

Re:Source?

[alexhs]

there is no link here to any article that claims Microsoft has no plans to patch the flaw.

To be fair the summary states

it has no plans to patch the flaw right now

Which is in the 2nd link actually.

Microsoft said it is investigating the flaw and looking at possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.

Well, from that quote to the summary, there is quite a stretch, but what did you expect ?

Re:Source?

[complacence]

Here's a picture of a pony:
http://babybird.files.wordpress.com/2009/08/pony.jpg

What are you trying to do here? There still is no outright refusal to fix this.

Instead it says:

We will continue to investigate the vulnerability and, upon completion of that investigation, we will take appropriate action to protect our customers.

Re:Was there a point to this?

[0123456]

Do you propose a better model?

Yes, don't trust anything unless you absolutely have to. In user land, for example, we have SELinux and Apparmor to prevent applications from accessing things they shouldn't; protecting the kernel is obviously harder.

How about the Linux model, where if the user decides to load it then it can do absolutely anything with the system?

Generally speaking, Linux drivers are only installed if signed by the distro repository, and you have to trust that key: if it's compromised you're toast. Windows has three bazillion drivers signed by three bazillion keys and only one needs to be compromised.

Nor will Linux drivers be loaded automatically from a random USB key just because you browsed there.

Who fault is it?

[KlomDark]

I think Microsoft is right on this issue. This problem is truly not theirs, except for the amount it negatively affects them. (Which they can do little except attempt spin control on the issue.)

They designed their driver verification process intelligently: By implementing the requirement of the drivers being signed by an appropriate third-party certificate registrar (VeriSign in this case), thus leaving the issue of managing the business of encryption keys to the established so-called "experts".

Part of the process of obtaining a trusted VeriSign cert such as the device driver key involves the company desiring a high-trust certificate of this nature involves signing and complying with a detailed set of procedures describing the physical/organizational processes how to handle and store the signed keys in a very secure and documented "chain of trust".

In the case where the security chain was broken by a (previously) trusted third party, in this case we'll probably find that RealTek is the cause of the issue by not properly following the chain of trust requirements, or how else would a rogue employee be able to sign his malicious driver?

<CoolStoryBro
A decade ago, I was a systems engineer for the internet banking division of a large bank that owned a bunch of other regional banks, and I was a "primary key custodian" (A defined role in the chain of trust requirements), so I was the one who would handle the technical details as far as getting the cert created and installing it on the web banking servers. (Just SSL certs rather than driver signing certs, but at the core they're the exact same thing.)

The amount of procedural rigamorole for handling the certs was complex, and well thought-out. I would create our private key in front of a few handpicked suits from corporate and data security who would observe me as I created our unsigned private key, then I would look away while one of the security people entered a complex password that I was not allowed to know, then I would get the cert signed by VeriSign which would require the security guy to re-enter the password that I did not know, then we would get the certs back, print out several copies, seal them in an envelope, all of us would sign it and take it to a safety deposit box. The security guys were not allowed to have a copy of the unsigned private key, and I was not allowed to know the password to the VeriSign-signed (VeriSigned?) key.

[And it's been 10 years since I worked there, and the certs were only one-year certs (renewed each year going through the same type of process), so don't come try to hold me hostage for any info about the bank, my info expired 9 years ago! :) ]
</CoolStoryBro

So it looks like RealTek may have dropped the ball on their cert handling procedures. Maybe VeriSign was lacking in their process auditing as well. Who knows? (I don't)

But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign, but would be devastating to online commerce as VeriSign has a near monopoly on the certificate registry market, so encryption would suddenly stop working on nearly all online businesses overnight. // But the bright side: All those sites would still work in the morning on Linux, giving it a huge boost! :) /// But on the dark side: All those sites would still work in the morning on Macs as well, giving the idiocracy movement a huge boost as well. :(

Re:Who fault is it?

[causality]

But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

Do you have any familiarity whatsoever with this situation?

Windows has an acknowledged flaw/vunlerability related to its handling of .lnk files (shortcuts). That flaw is being exploited to install this malicious driver. The problem has been greatly compounded by the fact that the driver is signed by a previously-trusted private key, but this is not the original flaw. Normally the act of merely plugging in a USB thumbdrive does not immediately install system software such as device drivers. It is that acknowledged .lnk flaw that makes this possible.

If you can install a hardware driver with an exploit, you can also install a worm, rootkit, etc. This attack happens to install a device driver. If Realtek's private key had never been compromised, then instead of installing a malicious device driver, you'd have Windows users plugging in infected USB thumbdrives and immediately becoming members of botnets. The flaw is in the Windows system and its handling of shortcut files.

It is that flaw and only that flaw for which Microsoft is being blamed.

I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign

Why would they do that when Verisign can revoke only this specific Realtek cert? In fact that's exactly what they have done.

Seriously. Did you even bother to read the summary? At all? I'll quote it for you. This is the summary, verbatim:

"Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

Emphasis is mine. Now go clean the egg off your face.

Re:Was there a point to this?

[rawler]

Generally speaking, Linux drivers are only installed if signed by the distro repository

Actually, for most distros, "drivers" (code executed as root, which is the main barrier in a Linux-system) are installed if they're signed by _any_ key in the keyring, including 3:d-party repositories.

Many people add 3:d party repositories to access newer versions of various packages, or packages not included in the distro, significantly increasing the attack vector. If you manage to get a hold of a key for any of those repository-signers, you pretty much have root-access to thousands-millions of users.

One of the things Linux distributions must really rethink is the concept of 3d-party software, and how it can be integrated and allowed more safely than it is today.

One concept could be special repository-system for 3:d-party packages, chrooted to separate container, and not allowed to execute any scripts during installation (or allowed, but at non-root privileges). Another idea could be per-user installs of 3d-party apps that installs to $HOME/.local or similar, and never root.

Re:Certificate revoked

[arth1]

The certificate was revoked.

Does it mean I need to update my drivers from Realtek, otherwise it spits them out?

No. Windows' security model only checks the certificate during install.

And even so, it doesn't update the revocation list automatically on install, nor does it check with OCSP; you won't get the revocation certificate unless you specifically install "Root certificate updates" through Microsoft Update, which is usually is found on the "optional" installs. So chances are that a lot of people will be able to install this malware in the future too.

Re:Certificate revoked

[mosschops]

Windows' security model only checks the certificate during install.

64-bit versions of Vista and Windows 7 require a valid Class 3 code signing certificate to load the driver, not just on installation. Revoking that certificate will stop the devices from working, as the parent poster suspected. Though it may not be the same certificate for all Realtek uses.