Miscreants Exploit Google-Outed Windows XP Zero-Day 497
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
Re:Dear Microsoft (Score:5, Interesting)
Re:The bad guys thank you Tavis. (Score:3, Interesting)
The bad guys have been using the flaw for years.. it's just the bottom feeders who are allowed by the cartel to have a go now.
5 days is more than enough time for Microsoft to release a hotfix and disable the vulnerable code.
Re:5 days spent trying to get a fix within 60 days (Score:3, Interesting)
Yeah, he's not nearly as mean as I would be. I would demand actual action within that 5 days.. including pushing out a patch to disable the vulnerable code.
hcp protocol (Score:5, Interesting)
I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).
I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.
Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.
Re:Microsoft: are you pleased with yourself? (Score:4, Interesting)
It's not just Microsoft... the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff.. well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online. You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.
Re:5 days spent trying to get a fix within 60 days (Score:5, Interesting)
I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225 [seclists.org]
From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."
For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx [microsoft.com]
Re:Services.msc, use it! (Score:3, Interesting)
So why didn't Microsoft push out that command via Windows Update as soon as the bug was reported? They have the power to prevent a single user from being attacked by this vector, why didn't they? They could even make the message more informative.
Re:Dear Microsoft (Score:2, Interesting)
Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.
Yes, it's the customers' fault that even the MS patches can be buggy, isn't it? Also, customers are also to blame because applying a security patch requires a reboot.
Re:Ormandy did excercise responsible disclosure (Score:4, Interesting)
you are assuming his system would be safer when in fact it is NOT.
Re:This is classic Tavis. (Score:3, Interesting)
I do believe this proves otherwise. What was a previously unknown bug, not being exploited has now turned into machines getting exploited, and it took what? Less than a day? Full disclosure is irresponsible.
Re:Dear Microsoft (Score:4, Interesting)
I can tell you've been in corp land.
1) You used "at the end of the day." People who say that should be shot, and you took the time to type it. I copy/pasted.
2) You want things that aren't predictable to be predictable. Just put whatever's new in the current testing cycle and go.
3) I'm pretty sure "insane amounts" is not a very good estimate, I'd be interested in some real numbers. Especially if you consider the "put whatever's new in the current testing cycle and go" part.
4) "Makes problems worse in the long run" is also most likely hyperbole. If your policy is to test what you can, when you can, then I don't see how Microsoft's schedule impacts you at all. You're already backlogged. Does it matter whether you're testing 3 patches or 20? I mean, you're not going to fall behind Microsoft's release schedule, so you're not going to be falling behind, so what does it matter whether the patch is released on Thursday or Tuesday - you can sit on the Thursday patches until next Tuesday if you want, only now the delay is on your side instead of Microsoft.
So overall, you would rather Microsoft to hold things up on their end. When a virus outbreak happens you can say "the vendor hasn't released the patch" or "we didn't complete testing of the patch". That absolves you of responsibility. If Microsoft releases as fixes are finished, you have to fit an unscheduled release pattern into a rigidly defined cycle, and are at risk. Instead of worrying about your clients and users, you are worried about liability.
I say give me the patches as soon as you have them, I'll test and release them internally when I can. Most of the time that's going to be faster, occasionally something might be delayed for whatever reason.
And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?
Re:I got hit with this exploit yesterday (Score:3, Interesting)
I wouldn't have been surprised if it was actually one of the ad servers the site uses.
Re:Dear Microsoft (Score:5, Interesting)
Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.
Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.
Re:The bad guys thank you Tavis. (Score:3, Interesting)
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant statements I've ever seen.
Re:Dear Microsoft (Score:2, Interesting)
heya,
Silly little man.
Look, full-disclosure has already been proven to be the method that works. Security through obscurity does not. Because what you're essentially saying here is "shhh....there's a flaw, but let's hope we're the only guys in the world that know about it"....oh please...how naive you are.
Google has already been burnt just recently by Microsoft's shonky security. So in this case, they were probably thinking, gee, whiz, we're about to get hit again...
Because chances are, if Ormandy found it, somebody else probably did as well. I mean, there's people *actively* look for these bugs, and hoping to malicious exploit them. At least this way, people know about it, and can protect themselves - either by shutting down the affected service under Microsoft gets out a patch, or at least staying sharp (e.g. checking logs) for anything that exploits it.
Doesn't the fact this exploit was found actually prove the point, that full-disclosure works? I gurantee you, the clowns at Sophos probably wouldn't have found this, without the heads-up from Ormandy on the issue.
Cheers,
Victor
Re:5 days spent trying to get a fix within 60 days (Score:3, Interesting)
Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them. First rule of tactics: never ever tell your enemy what you plan to do and then turn around and give him time to organize a reaction to your plans. The only thing that gets you is jumped from behind by the ambushes your enemy's set up along the route you told him you'd be following. If your enemy won't negotiate, forgo the threats and simply proceed with the plans you made for that contingency.
Re:Bullshit (Score:1, Interesting)
I hope google is not relying on a discontinued operating system for their business operations, it's not like they're amateurs.
Re:Ormandy did excercise responsible disclosure (Score:1, Interesting)
Quote "We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week"
They told him they would give him a schedule at the end of the week. but somehow he decides before the end of the week that he is gonna release it anyway even though they have told him they will give him a schedule. Tavis has been a complete twat and I hope he gets raked over the coals for it, his behaviour was childish and idiotic and placed millions of users at risk because he had a hard on and could not wait one more day for the promised release of the schedule to him.
Re:5 days spent trying to get a fix within 60 days (Score:3, Interesting)
Re:Ormandy did excercise responsible disclosure (Score:1, Interesting)
So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS
This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.
Had he kept his mouth shut, your systems would be safer.
No, they would seem safer, but be less safe.
You need help with your basic logic.
Before the Google engineer opened his mouth you may have been vulnerable to one or two very clever hackers.
Those very clever hackers probably have a few more tricks in their bag we don’t know about leaving your computer equally vulnerable to them. But now you are vulnerable to every poser script kiddy that can use copy and paste.
I think it’s pretty safe to say that more computers on the internet are less safe today thanks to Google.
I wonder if he was the same Google engineer who was using an old version of flash with IE6 on an un-patched Windows XP box; since he has no regard for security.
Re:Bullshit (Score:3, Interesting)
As I said in last week's Googe/XP story (which slashdot's search engine can't find for some reason), I have no tears for Microsoft. I've hated them since the 1980s. And not just because I go-round hating inanimate objects but because they have produced inferior products that were 5-10 years behind superior products from Atari, Commodore, and Apple. They've also done everything short of murder to eliminate competition (block them from running in Windows 3/4)(or sue them in court until they were bnakrupted). "Embrace a standard, Extend the standard with MS proprietary features, and then Extinguish our partners" has been their motto since 1990.
In recent years Microsoft has produced some quality products..... XP (NT 5.x) and Seven (NT 6.1)..... so I'll give them credit for improving but they still have a long way to go. Anything that hurts Microsoft and helps restore competition to the computer marketplace is a positive in my book.
Re:Dear Microsoft (Score:3, Interesting)
The right thing to do would have been:
1. Try to negotiate a timeline. When that fails (say in 3-4 days):
2. Suggest MS to disable the hlp resource locator immediately. When that advice is ignored:
3. Ultimatum to MS: existence of flaw will be disclosed. Give MS opportunity (2 days) to issue the press release. When that fails to happen:
4. Warn public of the flaw (no exploit). This will put pressure on MS. (From others too.)
Give last warning to MS regarding timeline negotiations. If this still not forces MS to cooperate:
5. Disclose exploit 3 days later.
Re:Dear Microsoft (Score:2, Interesting)