Slashdot Mirror
Google Security Expert Finds, Publicly Discloses Windows Kernel Bug
hypnosec writes "Security expert Tavis Ormandy has discovered a vulnerability in the Windows kernel which, when exploited, would allow an ordinary user to obtain administrative privileges of the system. Google's security pro posted the details of the vulnerability back in May through the Full Disclosure mailing list rather than reporting it to Microsoft first. He has now gone ahead and published a working exploit. This is not the first instance where Ormandy has opted for full disclosure without first informing the vendor of the affected software."
Seriously. I think it was a comic strip (possibly xkcd) that pointed out that an exploit that had user level privileges could impersonate someone on web sites, do money transfers at their banks, etc... While a system level exploit would all it to install drivers. Whohooo!
if he was an independent researcher doing this it might be one thing, but in this case he's not revealing the vulnerability based on full disclosure principals, he's doing it to give his employer's largest competitor a black eye. Motives matter
If it hadn't been Microsoft, Google may have been a bit more responsible about this, but since it makes their competitor look bad, time to forget about "do no evil".
I'm betting this is the only way to get MS to fix the problem in a timely fashion. If it's in the wild, they HAVE to fix it, and fast. Guys had to do this with Apple, as well, because they never fixed any bugs unless absolutely forced to.
The irony of the difference between closed source and open source is that while Ormandy has posted an exploit to this Windows bug, in the open-source world he potentially could have posted a fix too, considering he's the one who seems to understand the bug itself the best...
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Yeah, ok. troll better please.
it's been 4 weeks. Clearly we should go after those who disclose vulnerabilities instead of those responsible for fixing them. /sarcasm
That's bad. That's destructive and dangerous
No more dangerous than publishing the blueprints for a gun or the instructions to 3d print one. Someone could use that information to perpetrate a crime. Why do you throw freedom of speech out the window when it comes to software bugs?
The general tolerance of latent vulnerabilities and the expectation that whitehats should give companies time to patch them at least expense is what's truly destructive and dangerous.
History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.
- Michael T. Babcock (Yes, I blog)
Been a long time coming, but we finally don't have Microsoft pushing us around any longer.
Some of us with long memories see absolutely no issue with disclosing MS bugs on public forums.
Agree. The level of computer support I provide family members does not vary between Linux, Mac, Windows, Android, iOS, etc. This is a tired trope that needs to die.
Leela: "Is all the work done by children?" Alien: "No, not the whipping."
Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal
Why do you throw freedom of speech out the window when it comes to software bugs?
Get on your soapbox much? Nobody is infringing on Freedom of Speech since there is no law against this. There are issues of being reasonable and responsible though that have nothing to do with the law. Nor is anywhere here suggesting that he shouldn't publish, just that he should inform Microsoft directly, instead of assuming that everyone on the planet should read that mailing list, and give them some reasonable time to fix it before publishing.
News? TFS is flamebait.
This Fucking Site?
I guarantee every talking head on TV would be calling for the DoJ to look into it...
This is all about PR and image, Google and apple are sexy, MS is big and boring, but arguably more critical to daily life (you have no idea how many devices and backend systems you use everyday are on Windows)
That's bad. That's destructive and dangerous
No more dangerous than publishing the blueprints for a gun or the instructions to 3d print one.
This is closer to posting a list of homes where firearms are registered. Exposing the vulnerabilities without letting the homeowners without guns know that they're about to be greenlighted for burglary.
The general tolerance of latent vulnerabilities and the expectation that whitehats should give companies time to patch them at least expense is what's truly destructive and dangerous.
Now everyone has to scramble as script kiddies within their organizations implement this (internal attackers are still most dangerous). A balance must be struck. He's not looking to keep people secure; he's looking to make MS Windows operating systems a battlefield.
News? TFS is flamebait.
This Fucking Site?
The Friendly Summary.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Its a privileged escalation vulnerability... your machine has to already be compromised for this to be abused in the wild.
The code is clearly targeted for x86 only, not for x64 (__declspec(naked)).
I don't have x86 PC.
On Win7x64 the code plainly crashes.
Unimpressed.
...but not disclosing it to the vendor first and giving them a chance to release a fix is both unprofessional and irresponsible. Add in the fact that this is coming from a Google employee makes it inexcusable, and reflects poorly on Google. If I were his manager he would certainly receive a reprimand.
Security through obscurity is no security at all.
A security hole is a security hole. A hole that is not widely known about is not in any credible sense "safer" than one with a demonstration exploit posted on mailing lists.
I would rather that news of exploitable security holes be widely published, so that mitigating secondary security blocks can help cover the hole, and reduce the attack surface as soon as the exploit is discovered. While you can't recompile the kernel on day-0, you CAN filter network traffic, isolate unprotected systems, and take other affirmative actions to safeguard company and private data from unauthorized persons, and prevent the silent execution of malicious software early.
The problem one runs into there, is that most software out there today is not so much "secure", so much as it actually is analogous to a block of aged swiss cheese. Hardened in some places, and totally see-through in others. Managing many disparate suites of software packages means dealing with, and mitigating the risks, of a great, great many peepholes.
But again, a security hole is a security hole, and security through obscurity is no security at all. Wishful thinking that "if nobody says anything, then its perfectly safe to let slide for now!" Puts systems, data, and people at risk for the sake of convenience.
Look at the fallout of the near miss between that german drone aircraft and a small passenger plane that just came to light. Secrecy of the problem does not make the problem go away, and hiding the risks from people (for any reason) who are at risk is beyond inconscionable.
Umm. Many do.
Do you know if the 3 to 5 guys who own that codebase in MS read that site?
Microsoft never gets off its ass and fixes stuff before it goes public.
Quite simply untrue.
So. Fuck it. Publish. Make em work.
So, no -- responsible disclosure first. Extreme measures after that. Don't be an asshole. Not being an asshole is generally not hard.
It's news that a Google employee is being a dick, since they do have a "do no evil" policy.
No, they don't. They have a "do no evil" slogan. They have been just as actively evil as everyone else for years.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Microsoft never gets off its ass and fixes stuff before it goes public.
Really? Every bug fix they ever made was from public disclosure? News to me, since I personally have seen them fix things disclosed only to them.
What you actually mean is that you, a home user, with a best a handful of machines, thinks its better to rush a patch out that could break shit, than to do a proper fix and test cycle.
What this lets the rest of us know is that you have no fucking clue what its like to deal with large scale software maintenance. Any admin worth his salt knows that if you can mitigate the problem away and wait for a proper patch that has been thoroughly tested is about 10 billion times better than some random hack made by some guy at 3am this morning.
There are few exploits that can not be mitigated in some way. This particular issue is easy to mitigate at most companies by simply firing any jack ass caught exploiting it. It requires local access (via RDP counts), so its not like we're talking about an internet facing, anyone can take you down, kind of bug.
On top of that, any admin worth his salt his going to do proper testing, which means even if they got a patch 10 seconds after the exploit was found, its STILL GOING TO BE A WHILE BEFORE THE ADMIN DEPLOYS THE PATCH ... unless he is some ignorant clueless douche like you who doesn't have any idea what he's doing.
All your post does is shows your complete ignorance of the bigger picture.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
"Doesn't matter what history shows."
That's the refrain of the conquered and the unscientific.
Poor analogy. Your billy-club company is making something anyone can make -- it's common knowledge how to make one, and it's even easily replaced with other objects. Ormandy found the exploit -- making his knowledge of it unique. By publishing it, he made it common knowledge. There was not even anything that could be used to substitute it. People are running to defend Ormandy in their glee that he did something to hurt MS. If MS had published an exploit in the Linux kernel without first submitting a patch and waiting for it to be accepted, I guarantee you your stance would be the exact opposite of what it is now.
Except that he's right. The "Security through obscurity is no security at all" mantra is the first thing that people who know nothing about security fall back on again and again. Asymmetric keys are merely *better* obscurity than most other means. You're still just counting on not being a sufficiently interesting target that your keys are not going to be put to the test by somebody with access to a proper compute cluster (or maybe a quantum computer), or that they won't bypass that and exploit you some other way.
You should know this already. Speaking generally, all security mechanisms can be broken, so you need to ensure the cost of exploiting is greater than the thing you get access to after exploiting.
I never said I believed in "unbeatable protection". That's a strawman. I basically said that "out of sight, out of mind!" Is not a proper risk mitigation practice. Most certainly NOT the same thing as professing a belief in perfect security.
Proper keypair generation attempts to make it more costly for the attacker to profit from the action of hacking, and actually demonstrates this fact for them, should they try anyway.
Shitty obscurity based half-assery fakes being strong, to detur attempts, but fails easily on inspection. Something like using a password to XOR a file, and calling it "encrypted.", or doing what sony did and reusing the sae salt over and over again, completly defeating the purpose of the salt in the process.
Relying on "don't tell anybody! We'l get to it eventually, and if you don't tell, nobody will find out!" Is bullshit, which is what typically happens with so called "responsible disclosure." I have heard of serious exploits hanging around for YEARS after being "responsibly disclosed."
I understand that you can't fix the hole instantly, and that the patch needs to be tested to make sure it doesn't poke another hole elsewhere. However, informing the people at the most risk, (customers), that they need to take some mitigating actions to reduce the threat, and to watch for signs of exploit until the patch is ready is what is the responsible thing for the software vendor to do. NOT hide the exploit and try to forget about it, while less scrupulous crackers silently use it in combination with other exploits to commit fraud, steal company prividleged information, steal user persona data, build botnets, and worse, while pretending that "it won't happen, because nobody squealed!"
The only reason not to do would be if you knew someone was already taking advantage of the vulnerability in the wild.
Google is in competition with Microsoft. Google would prefer people to use chromebooks and android so raising anxiety about Microsoft based products furthers their corporate goals. It could easily be as simple as that.
Ok, good point on the billy-club. If I read correctly, didn't he give MS 4 weeks to patch it before publishing an exploit for the bug? MS is a commercial company that provides a product and has an obligation to ensure its security. The Linux kernel, however, comes with no such guarantees; maybe if you bought a commercial distro but even then it depends on the EULA. You can always speculate better/different ways of doing something after it's done. I'm not going to bash Ormandy for publicizing the bug anymore than I would bash somebody for publicizing a bug in the Linux kernel. Come to think of it, aren't all the bugs for linux (and other opensource projects) public on a bug site?
>> He reported the bug back in May.
Whoa! A whole 17 days have gone by and they still haven't release a worldwide patch?! Give them some time, you make it sound like it has been in the wild for months.
The nonsequitor there, is in asserting that because the whitehat hasn't disclosed his findings, that others haven't also independently found the hole, and been more mum about it.
Which is more profitable for a person who makes their living by stealing company secrets, laundering money through wire fraud, or selling stolen identity information?
Using an exploit that has been publicly discosed, and thus, everyone is super paranoid about it, and actively trying to plug it-- OR-- a nice little treasure trove of privately discovered exploits that aren't public knowledge that you can quiety switch to once the hole you are currently using gets discovered?
"Saving face" for the company fascilitates the real blackhats by keeping admins and users ignorant of the threat.
All public disclosure does is make real blackhat attackers silently move to their next vector, and cause a spike in script kid activities. (And of course, make the software vendor look bad.)
Some of us have empathy and like to live in a working society.
Not all of us can be narcissistic sociopaths.
Exactly. MS has a well-documented monthly patch cycle. Give them until the next patch release date if you don't think there are exploits in the wild. Give them 1-week if there are already exploits. Similar rules for any other vendor depending on their patch cycles etc. Little common sense is all it takes.
I never said I believed in "unbeatable protection". That's a strawman. I basically said that "out of sight, out of mind!" Is not a proper risk mitigation practice. Most certainly NOT the same thing as professing a belief in perfect security.
"out of sight, out of mind!" is a bigger strawman than anything I said. Responsible disclosure, so MS has at least a chance to respond -- that's all people are calling for. And the point wasn't about unbeatable protection -- the point was to dispel of this silly one-liner that only serves to hinder meaningful discussion of security issues.
Shitty obscurity based half-assery fakes being strong, to detur attempts, but fails easily on inspection. Something like using a password to XOR a file, and calling it "encrypted.", or doing what sony did and reusing the sae salt over and over again, completly defeating the purpose of the salt in the process.
*This* is a strawman. Don't point out stupid shit that other people did, and claim that it makes your point valid. Remember again the general recommendation -- the cost of breaking your scheme must be greater than the value of what you're protecting. If you're using the scheme above, you should be using it to protect minesweeper scores at best.
Relying on "don't tell anybody! We'l get to it eventually, and if you don't tell, nobody will find out!" Is bullshit, which is what typically happens with so called "responsible disclosure." I have heard of serious exploits hanging around for YEARS after being "responsibly disclosed."
This is a strawman again. Simply, disclose responsibly. The patch cycle is well documented. If 1 cycle goes without a patch, you can remind them. If they second one goes by and no patch, disclose. How hard is that? Answer -- not hard at all. When you're not out to fuck people over, and don't have some agenda you're trying to further, it's really not that hard to be reasonable.
I understand that you can't fix the hole instantly, and that the patch needs to be tested to make sure it doesn't poke another hole elsewhere.
It's not just that. The patch needs to be tested to ensure that it actually works! That was an issue the last time Ormandy did this -- he provided a binary patch that did not fix the issue! In addition to that, it has to not cause other bugs (not necessarily exploits -- but bugs -- because those too can cause work stoppage etc.). When the hole is being exploited already, all this goes out the window -- exchange information openly and get that shit fixed ASAP. When it's not yet being exploited actively, you can spare users a lot of headache, and a lot of lost productivity by simply following responsible disclosure guidelines that are well documented and well-known to Ormandy himself.
However, informing the people at the most risk, (customers), that they need to take some mitigating actions to reduce the threat, and to watch for signs of exploit until the patch is ready is what is the responsible thing for the software vendor to do.
Dude, you can drop the veneer about caring about MS's customers. Ormandy can drop that too. There's a clear course of action by which Ormandy and MS could have done right by them together. Ormandy made sure that's no longer an option, and they are in greater danger now than was strictly necessary. And you are defending his actions out of glee that MS is looking like an idiot.
NOT hide the exploit and try to forget about it, while less scrupulous crackers silently use it in combination with other exploits to commit fraud, steal company prividleged information, steal user persona data, build botnets, and worse, while pretending that "it won't happen, because nobody squealed!"
Nobody is asking to HIDE anything! You complained about a strawman earlier??? Responsible disclosure does not imply infinite time. Ormandy works for Google right? He can
Security through obscurity is no security at all.
That's not really relevant because the choice is between disclosing to the software makers and disclosing to the public, not leaving the hole in the product. Given the hole already exists, is it more secure to let the public (consisting of both good and bad actors) know or not?
The answer to that can change depending on the nature of the vulnerability (can the public protect themselves by changing a setting for example) and the way the software company can be expected to respond (will they sit on their hands unless faced with a PR disaster?).
Nope, just making exploits public without even trying to tell the vendor about them first is just a dickhead move, esp. on the users.
Asymmetric keys are merely *better* obscurity than most other means.
You are using a false information model.
"Obscurity" in the context of IT security does not refer to private information of any kind.
"Security through Obscurity" refers to the false assumption that my ROT13 encryption algorithm is any better if I don't tell you that I'm using ROT13. The assumption being that it'll take you additional time to figure out what algorithm I'm using, making it more difficult to crack my code.
That assumption is false, because with any actual security measure, the amount of work required to figuring out the algorithm is insignificant compared to the amount of work required to break it.
Asymmetric keys are not "better" obscurity. You can't break a good encryption algorithm with even a huge cluster. That's the whole point - that I don't need obscurity. I can tell you what algorithm I used, what size my key is, absolutely everything except the key itself - and it'd still take you a century with all the current computing power on the planet to break it.
Obscurity is usually a weak algorithm that can be broken in minutes once you've figured out the one "trick" they keep secret.
If you still don't see the difference, re-read Applied Cryptography.
Assorted stuff I do sometimes: Lemuria.org
A username/password is different.
This is a flaw in a system. It's the difference between "Joe Blogg's car has code XXXX" and "All Fords let you in if you do XXXX". The personalisation of the information brings it under different laws - and preventing people from discussing flaws will also stop people from, for example, discussing faults in systems (e.g. cars that have faulty brakes etc.) which brings about whole new levels of capability for companies to forgo their responsibilities and claim they didn't know about it.
However, if you think your garage door openers and information on how to bypass them, copy them, fake them, scan them, intercept them, etc. isn't already on the Internet, you're being naive. Same for car locks.
It's not illegal to discuss a particular encryption system used on a satellite TV system, for example, or it's weaknesses or how it can be bypassed. It's not even illegal to take apart the box and try it. It's definitely a grey legal area, though, to do so with the intention of infringing copyright (but how do you prove that?), or selling "cracked" boxes onto other users. Also, it is illegal to distribute, say, Sky's satellite codes that allow you to decrypt their channels.
You don't want to stop people investigating and finding and discussing flaws in systems. The knock-on effects are huge and not even constrained to IT systems (i.e. if someone's voting system is vulnerable, you wouldn't be able to report that, and nobody would ever know). The law in almost all countries takes the middle line - you can discuss flaws inherent in the system, but you can't go providing information specifically tailored so that random people can use to access random people's accounts.
This exploit has C code. Go compile it. See how it works. Get a working binary. All legal. Distribute it? Legal. Sneak it onto someone's machine? Illegal. Get someone to run it with the intention of accessing things you shouldn't? Illegal. Anything already "bad" is covered. Making more steps along the way illegal just has too much of an impact elsewhere on things that you WANT happening.