Slashdot Mirror
Google Security Expert Finds, Publicly Discloses Windows Kernel Bug
hypnosec writes "Security expert Tavis Ormandy has discovered a vulnerability in the Windows kernel which, when exploited, would allow an ordinary user to obtain administrative privileges of the system. Google's security pro posted the details of the vulnerability back in May through the Full Disclosure mailing list rather than reporting it to Microsoft first. He has now gone ahead and published a working exploit. This is not the first instance where Ormandy has opted for full disclosure without first informing the vendor of the affected software."
if he was an independent researcher doing this it might be one thing, but in this case he's not revealing the vulnerability based on full disclosure principals, he's doing it to give his employer's largest competitor a black eye. Motives matter
If it hadn't been Microsoft, Google may have been a bit more responsible about this, but since it makes their competitor look bad, time to forget about "do no evil".
The irony of the difference between closed source and open source is that while Ormandy has posted an exploit to this Windows bug, in the open-source world he potentially could have posted a fix too, considering he's the one who seems to understand the bug itself the best...
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Yeah, ok. troll better please.
it's been 4 weeks. Clearly we should go after those who disclose vulnerabilities instead of those responsible for fixing them. /sarcasm
That's bad. That's destructive and dangerous
No more dangerous than publishing the blueprints for a gun or the instructions to 3d print one. Someone could use that information to perpetrate a crime. Why do you throw freedom of speech out the window when it comes to software bugs?
The general tolerance of latent vulnerabilities and the expectation that whitehats should give companies time to patch them at least expense is what's truly destructive and dangerous.
That is correct for home users.
But for corporate users, a system level exploit allows things like installing sniffers and key loggers so that more passwords can be collected. Including the admin/root passwords.
Which can be used against the computers in the Accounting department to transfer money from the corporate accounts to "money mules".
Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal
News? TFS is flamebait.
This Fucking Site?
The Friendly Summary.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Microsoft never gets off its ass and fixes stuff before it goes public.
Really? Every bug fix they ever made was from public disclosure? News to me, since I personally have seen them fix things disclosed only to them.
What you actually mean is that you, a home user, with a best a handful of machines, thinks its better to rush a patch out that could break shit, than to do a proper fix and test cycle.
What this lets the rest of us know is that you have no fucking clue what its like to deal with large scale software maintenance. Any admin worth his salt knows that if you can mitigate the problem away and wait for a proper patch that has been thoroughly tested is about 10 billion times better than some random hack made by some guy at 3am this morning.
There are few exploits that can not be mitigated in some way. This particular issue is easy to mitigate at most companies by simply firing any jack ass caught exploiting it. It requires local access (via RDP counts), so its not like we're talking about an internet facing, anyone can take you down, kind of bug.
On top of that, any admin worth his salt his going to do proper testing, which means even if they got a patch 10 seconds after the exploit was found, its STILL GOING TO BE A WHILE BEFORE THE ADMIN DEPLOYS THE PATCH ... unless he is some ignorant clueless douche like you who doesn't have any idea what he's doing.
All your post does is shows your complete ignorance of the bigger picture.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
The nonsequitor there, is in asserting that because the whitehat hasn't disclosed his findings, that others haven't also independently found the hole, and been more mum about it.
Which is more profitable for a person who makes their living by stealing company secrets, laundering money through wire fraud, or selling stolen identity information?
Using an exploit that has been publicly discosed, and thus, everyone is super paranoid about it, and actively trying to plug it-- OR-- a nice little treasure trove of privately discovered exploits that aren't public knowledge that you can quiety switch to once the hole you are currently using gets discovered?
"Saving face" for the company fascilitates the real blackhats by keeping admins and users ignorant of the threat.
All public disclosure does is make real blackhat attackers silently move to their next vector, and cause a spike in script kid activities. (And of course, make the software vendor look bad.)
No, user level programs can't generally do that. Since Vista user privileges don't give access to other app's data
I'm sorry, but you are incorrect. Programs running under the same user's security context are all on equal footing and can inspect and interact with each other. Notepad could, for example, read the entire contents of Firefox's private memory. I can create a remote thread in the Firefox process to do whatever it pleased. Vista did not change this.
There is no easy way to steal credentials out of a browser or read email or anything like that.
This is also not true. Firefox clearly stores passwords using reversible encryption (how else could it send the plaintext passwords to websites?). Both the encrypted password and the decryption key is available to any program running under the user's context.
"Reading email" is a little vague, but if absolutely nothing else, a program could capture the text being displayed in the email application using any number of Win32 API / accessibility calls.
That is why viruses often try to trick the user into granting them admin level permissions via a UAC warning prompt
UAC does nothing to prevent a program from gaining adminstrative access (elevating). This has been reliably demonstrated many times by different people, and even Microsoft has said that UAC is not a security boundary. It was created (essentially) for one thing: to force software vendors to start writing programs that did not assume or require the user to have administrator rights. It had a positive side effect of making Microsoft look more focused on security.
As for drivers even a kernel level exploit usually won't be able to install them these days. Drivers need to be signed before Windows will allow them to be installed.
I'm sorry, but this is also incorrect. Keep in mind there are multiple meanings of a "driver", but once you are executing code inside kernelspace, all bets are off. As Raymond Chen likes to say, It rather involved being on the other side of this airtight hatchway.
Windows 8 flat out refuses to install unsigned binaries as drivers
That's unfortunate for independent/small software development shops and open-source software projects. I remember when I had control over what ran on my computer; those were good days. If, however, malicious code has found its way into the kernel your machine is still fully compromised.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
I never said I believed in "unbeatable protection". That's a strawman. I basically said that "out of sight, out of mind!" Is not a proper risk mitigation practice. Most certainly NOT the same thing as professing a belief in perfect security.
"out of sight, out of mind!" is a bigger strawman than anything I said. Responsible disclosure, so MS has at least a chance to respond -- that's all people are calling for. And the point wasn't about unbeatable protection -- the point was to dispel of this silly one-liner that only serves to hinder meaningful discussion of security issues.
Shitty obscurity based half-assery fakes being strong, to detur attempts, but fails easily on inspection. Something like using a password to XOR a file, and calling it "encrypted.", or doing what sony did and reusing the sae salt over and over again, completly defeating the purpose of the salt in the process.
*This* is a strawman. Don't point out stupid shit that other people did, and claim that it makes your point valid. Remember again the general recommendation -- the cost of breaking your scheme must be greater than the value of what you're protecting. If you're using the scheme above, you should be using it to protect minesweeper scores at best.
Relying on "don't tell anybody! We'l get to it eventually, and if you don't tell, nobody will find out!" Is bullshit, which is what typically happens with so called "responsible disclosure." I have heard of serious exploits hanging around for YEARS after being "responsibly disclosed."
This is a strawman again. Simply, disclose responsibly. The patch cycle is well documented. If 1 cycle goes without a patch, you can remind them. If they second one goes by and no patch, disclose. How hard is that? Answer -- not hard at all. When you're not out to fuck people over, and don't have some agenda you're trying to further, it's really not that hard to be reasonable.
I understand that you can't fix the hole instantly, and that the patch needs to be tested to make sure it doesn't poke another hole elsewhere.
It's not just that. The patch needs to be tested to ensure that it actually works! That was an issue the last time Ormandy did this -- he provided a binary patch that did not fix the issue! In addition to that, it has to not cause other bugs (not necessarily exploits -- but bugs -- because those too can cause work stoppage etc.). When the hole is being exploited already, all this goes out the window -- exchange information openly and get that shit fixed ASAP. When it's not yet being exploited actively, you can spare users a lot of headache, and a lot of lost productivity by simply following responsible disclosure guidelines that are well documented and well-known to Ormandy himself.
However, informing the people at the most risk, (customers), that they need to take some mitigating actions to reduce the threat, and to watch for signs of exploit until the patch is ready is what is the responsible thing for the software vendor to do.
Dude, you can drop the veneer about caring about MS's customers. Ormandy can drop that too. There's a clear course of action by which Ormandy and MS could have done right by them together. Ormandy made sure that's no longer an option, and they are in greater danger now than was strictly necessary. And you are defending his actions out of glee that MS is looking like an idiot.
NOT hide the exploit and try to forget about it, while less scrupulous crackers silently use it in combination with other exploits to commit fraud, steal company prividleged information, steal user persona data, build botnets, and worse, while pretending that "it won't happen, because nobody squealed!"
Nobody is asking to HIDE anything! You complained about a strawman earlier??? Responsible disclosure does not imply infinite time. Ormandy works for Google right? He can
Nope, just making exploits public without even trying to tell the vendor about them first is just a dickhead move, esp. on the users.