Miscreants Exploit Google-Outed Windows XP Zero-Day 497
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
Re:Dear Microsoft (Score:5, Informative)
5 days spent trying to get a fix within 60 days (Score:3, Informative)
Re:The bad guys thank you Tavis. (Score:5, Informative)
Re:Microsoft: are you pleased with yourself? (Score:5, Informative)
Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.
Re:Dear Microsoft (Score:5, Informative)
You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'
As far as pushing this to users automatically, people get angry when you break shit without asking them.
Services.msc, use it! (Score:5, Informative)
Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.
So you can disable that service and be at east that nothing is going to happen to you or your users.
Re:Dear Microsoft (Score:3, Informative)
Generally, the release of a patch causes the creation of an exploit. Non-publicly-disclosed security holes become disclosed to the people who matter the minute the patch is released. They can disassemble and analyze the patch apart and write an exploit in a few days. So if a company queues up Microsoft's patches and installs them once a month, they're continuously vulnerable to up to month worth of public security holes.
Re:Dear Microsoft (Score:1, Informative)
Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.
Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.
All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.
you mean like here:
http://support.microsoft.com/kb/2219475
Re:Ormandy did excercise responsible disclosure (Score:5, Informative)
So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS
This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.
Had he kept his mouth shut, your systems would be safer.
No, they would seem safer, but be less safe.
Re:Ormandy did excercise responsible disclosure (Score:3, Informative)
No they wouldn't be any safer.
This exploit has been known about in security circles for AGES.
And MS has had several warnings, one from myself included, about four years ago.
Mitigation? (Score:4, Informative)
My understanding is that Firefox disables hcp:// by default:
network.protocol-handler.external.hcp = false
And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?
Re:The elephant in the room (Score:1, Informative)
Begging the question
Raising the question
Re:Bullshit (Score:3, Informative)
yes, lets blame the guy who finds the exploit. clearly your efforts must be focused the right way. Instead of that we still don't have a patch. Patch tuesday stuff is prepared in advance, so it's not even remotely an excuse.
Re:I got hit with this exploit yesterday (Score:2, Informative)
If the antivirus reported suspicious activity that wasn't stopped, then UAC alone saved you. It is not the first time that the AV fails to "detect" malicious use of scripts, since it has no AI; just authenticating to allow UAC to run the command would have been enough to start the true system-rooting process which may or may not be blocked by the AV depending on what executables are chained to cmd.exe's work.
Re:Dear Microsoft (Score:2, Informative)
He says "I found a critical flaw, when will you fix it?" "Fuck you." "No really, how about 60 days? All you have to do is disable the feature in one of the two patch cycles if you can't actually fix it in that time." "Fuck you." "Hmm, well, will you work with me at all on this?" "Fuck you." Released to the wild.
How would you handle it? What do you do when you've found problems before and they don't get fixes for a long time, then you find another and you try to get some commitment of when it will be fixed? He knows that if he found it, someone else may already be exploiting it. If Microsoft won't protect their customers by releasing the patch, he'll force them to work faster and it will get the word out to people that they can disable the feature and be more secure.
Re:Dear Microsoft (Score:3, Informative)
As the GP post stated, this is more like Google lashing out at MS, which again, is childish and indicates a company that I don't really want to do business with.
However you feel about the action, it was done by a specific Google employer, not by Google as a company. So far as I know, Google itself has not taken any official stance in it, and did not back the disclosure. So let's not get into conspiracy theories here.
Re:Dear Microsoft (Score:4, Informative)
That's not at all what happened. What happened was:
Tavis: "I found a critical flaw, will you fix it in 60 days?"
Microsoft: "Hmm, we'll take a look and get back to you with a timetable on Friday"
Tavis: "Not good enough". Released to the wild.
Cite: TFA.
Re:Ormandy did excercise responsible disclosure (Score:4, Informative)
Article ID: 2219475 - Vulnerability in Help Center could allow remote code execution [microsoft.com]. The related security advisory was first posted June 10th, and the KB article with the FixIt in it was first referred to on June 11th.
Re:Dear Microsoft (Score:4, Informative)
Cite: TFA.
Except you're lying. TFA, which I've actually read, has only this to say :
"I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
Re:Bullshit (Score:0, Informative)
Re:Bullshit (Score:2, Informative)
You do realize when I say "critical part of Windows", I mean in the "and if we remove it now, people might actually stop using our platform", right? IE was pushed as a central place to do all sorts of things and, with the magic of ActiveX (aka COM objects) and protocol handlers, do it relatively easily. Intranet sites heavily exploited that fact and several companies are now hooked on IE6; it was also their goal to have many "Trusted" internet web sites to heavily use ActiveX and be Whitelisted for lock-in there too, but that didn't work out that well except in South Korea. That was very much the reason MS created the whole Zone feature in IE as well as why they're still quite unwilling to give up on the idea.
Yea, well, go complain somewhere else where someone is actually making the argument you're trying to refute.
Temporary fix link (Score:2, Informative)
I haven't seen anyone link to Microsoft's temporary fix [microsoft.com] yet. Essentially you modify the registry to disable the hcp: protocol by deleting the relevant key (they also advise you to export the relevant bit of the registry so you can restore it later, presumably after a real fix is available). Steve Gibson [grc.com] uses the approach of simply renaming the relevant key, although I wonder if that would still be vulnerable to some kind of fuzzing attack. I suppose if you rename it to a key that is really long, it is less likely to be an issue.
One question I haven't fully answered yet is what is actually lost if the hcp: protocol is disabled. The Microsoft advisory says this:
"Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work."
But should I care? Everything I tried in Control Panel seemed to keep working fine. Do they mean if you or some software package put an hcp: link in there? What is there in a default XP install that actually uses hcp: protocol?
This is a big "Told You So" (Score:3, Informative)
I haven't seen the context of this exploit-discovery-and-release mentioned. Lest we all forget:
http://news.cnet.com/8301-30684_3-20006509-265.html [cnet.com]
Google leaks that they're moving away from Windows, cause it's insecure and it's use got them hacked by the Chinese. Microsoft says "Bah! We're more secure than anyone, we rock!". So Google publicly demonstrates evidence to the contrary that proves their point, and makes Microsoft look bizarrely incompetent. Microsoft responds by accusing Google of having the audacity to call their bluff.
I would really like to know who this kind of doublethink hijinks work on. Doesn't Microsoft know that we form our own opinions based on information that we can get anywhere?
You bet it's bullshit (Score:3, Informative)
Windows XP is released in dozens of languages with support contracts for all of them
If the regression tests for the American English version of XP don't cover the Brazilian version of XP, then the system is hopelessly broken and the whole thing should be thrown away. Unless the bug involves some string handling function in the locale libraries, it shouldn't be harder to test 15,000 different language releases than it would be to test just one.