Forgot your password?
Security Google Microsoft IT

Miscreants Exploit Google-Outed Windows XP Zero-Day 497

Posted by kdawson
from the time-to-fix dept.
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
This discussion has been archived. No new comments can be posted.

Miscreants Exploit Google-Outed Windows XP Zero-Day

Comments Filter:
  • Re:Dear Microsoft (Score:5, Informative)

    by hedwards (940851) on Tuesday June 15, 2010 @10:13PM (#32586428)
    If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.
  • by msbhvn (1162657) on Tuesday June 15, 2010 @10:13PM (#32586432)
    According to this tweet: [] Those 5 days were spent trying to negotiate a fix within 60 days. So much for the 'he only gave them 5 days!' arguments.
  • by hedwards (940851) on Tuesday June 15, 2010 @10:22PM (#32586504)
    Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit. I don't think anybody really believes that he'd report it then release it in that kind of a time span if there wasn't more going on than just that. 60 days is more than enough time for MS to release a proper fix, but the reality is that MS does sit on bug fixes because they can't or won't spend the time to take it seriously.
  • by Todd Knarr (15451) on Tuesday June 15, 2010 @10:33PM (#32586578) Homepage

    Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.

  • Re:Dear Microsoft (Score:5, Informative)

    by pyrbrand (939860) on Tuesday June 15, 2010 @10:34PM (#32586586)

    You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'

    As far as pushing this to users automatically, people get angry when you break shit without asking them.

  • by jack2000 (1178961) on Tuesday June 15, 2010 @10:34PM (#32586588)
    HA help and support center, i've had that service disabled since i installed this thing long ago! If you try to run anything with the hcp protocol it flatout tells you:

    Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.

    So you can disable that service and be at east that nothing is going to happen to you or your users.

  • Re:Dear Microsoft (Score:3, Informative)

    by Anonymous Coward on Tuesday June 15, 2010 @11:00PM (#32586746)

    Generally, the release of a patch causes the creation of an exploit. Non-publicly-disclosed security holes become disclosed to the people who matter the minute the patch is released. They can disassemble and analyze the patch apart and write an exploit in a few days. So if a company queues up Microsoft's patches and installs them once a month, they're continuously vulnerable to up to month worth of public security holes.

  • Re:Dear Microsoft (Score:1, Informative)

    by Anonymous Coward on Tuesday June 15, 2010 @11:00PM (#32586752)

    Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

    Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

    All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

    you mean like here:

  • So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS

    This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.

    Had he kept his mouth shut, your systems would be safer.

    No, they would seem safer, but be less safe.

  • No they wouldn't be any safer.

    This exploit has been known about in security circles for AGES.

    And MS has had several warnings, one from myself included, about four years ago.

  • Mitigation? (Score:4, Informative)

    by Derek Pomery (2028) on Tuesday June 15, 2010 @11:43PM (#32586998)

    My understanding is that Firefox disables hcp:// by default:
    network.protocol-handler.external.hcp = false

    And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?

  • by Anonymous Coward on Tuesday June 15, 2010 @11:44PM (#32587006)

    Begging the question

    Raising the question

  • Re:Bullshit (Score:3, Informative)

    by poetmatt (793785) on Tuesday June 15, 2010 @11:54PM (#32587046) Journal

    yes, lets blame the guy who finds the exploit. clearly your efforts must be focused the right way. Instead of that we still don't have a patch. Patch tuesday stuff is prepared in advance, so it's not even remotely an excuse.

  • by vlueboy (1799360) on Wednesday June 16, 2010 @12:13AM (#32587154)

    If the antivirus reported suspicious activity that wasn't stopped, then UAC alone saved you. It is not the first time that the AV fails to "detect" malicious use of scripts, since it has no AI; just authenticating to allow UAC to run the command would have been enough to start the true system-rooting process which may or may not be blocked by the AV depending on what executables are chained to cmd.exe's work.

  • Re:Dear Microsoft (Score:2, Informative)

    by AK Marc (707885) on Wednesday June 16, 2010 @12:34AM (#32587284)
    Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.

    He says "I found a critical flaw, when will you fix it?" "Fuck you." "No really, how about 60 days? All you have to do is disable the feature in one of the two patch cycles if you can't actually fix it in that time." "Fuck you." "Hmm, well, will you work with me at all on this?" "Fuck you." Released to the wild.

    How would you handle it? What do you do when you've found problems before and they don't get fixes for a long time, then you find another and you try to get some commitment of when it will be fixed? He knows that if he found it, someone else may already be exploiting it. If Microsoft won't protect their customers by releasing the patch, he'll force them to work faster and it will get the word out to people that they can disable the feature and be more secure.
  • Re:Dear Microsoft (Score:3, Informative)

    by shutdown -p now (807394) on Wednesday June 16, 2010 @12:57AM (#32587414) Journal

    As the GP post stated, this is more like Google lashing out at MS, which again, is childish and indicates a company that I don't really want to do business with.

    However you feel about the action, it was done by a specific Google employer, not by Google as a company. So far as I know, Google itself has not taken any official stance in it, and did not back the disclosure. So let's not get into conspiracy theories here.

  • Re:Dear Microsoft (Score:4, Informative)

    by Your.Master (1088569) on Wednesday June 16, 2010 @12:59AM (#32587424)

    That's not at all what happened. What happened was:

    Tavis: "I found a critical flaw, will you fix it in 60 days?"
    Microsoft: "Hmm, we'll take a look and get back to you with a timetable on Friday"
    Tavis: "Not good enough". Released to the wild.

    Cite: TFA.

  • by Todd Knarr (15451) on Wednesday June 16, 2010 @02:36AM (#32587876) Homepage

    Article ID: 2219475 - Vulnerability in Help Center could allow remote code execution []. The related security advisory was first posted June 10th, and the KB article with the FixIt in it was first referred to on June 11th.

  • Re:Dear Microsoft (Score:4, Informative)

    by rtfa-troll (1340807) on Wednesday June 16, 2010 @04:00AM (#32588212)

    Cite: TFA.

    Except you're lying. TFA, which I've actually read, has only this to say :

    "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"

    Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given

    "We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"

    Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.

    So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.

  • Re:Bullshit (Score:0, Informative)

    by Anonymous Coward on Wednesday June 16, 2010 @05:54AM (#32588688)
    Windows XP will be discontinued on April 8, 2014.
  • Re:Bullshit (Score:2, Informative)

    by 10101001 10101001 (732688) on Wednesday June 16, 2010 @07:24AM (#32589060) Journal

    In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

    Wrong, wrong wrong. Trident is the component that renders HTML content (like HTML help) and that's as integrated into the system as KHTML is to KDE, and WebKit is to Mac OS X.

    You do realize when I say "critical part of Windows", I mean in the "and if we remove it now, people might actually stop using our platform", right? IE was pushed as a central place to do all sorts of things and, with the magic of ActiveX (aka COM objects) and protocol handlers, do it relatively easily. Intranet sites heavily exploited that fact and several companies are now hooked on IE6; it was also their goal to have many "Trusted" internet web sites to heavily use ActiveX and be Whitelisted for lock-in there too, but that didn't work out that well except in South Korea. That was very much the reason MS created the whole Zone feature in IE as well as why they're still quite unwilling to give up on the idea.

    I'm so sick of hearing bullshit like that spouted all over the place.

    Yea, well, go complain somewhere else where someone is actually making the argument you're trying to refute.

  • Temporary fix link (Score:2, Informative)

    by Anonymous Coward on Wednesday June 16, 2010 @08:24AM (#32589346)

    I haven't seen anyone link to Microsoft's temporary fix [] yet. Essentially you modify the registry to disable the hcp: protocol by deleting the relevant key (they also advise you to export the relevant bit of the registry so you can restore it later, presumably after a real fix is available). Steve Gibson [] uses the approach of simply renaming the relevant key, although I wonder if that would still be vulnerable to some kind of fuzzing attack. I suppose if you rename it to a key that is really long, it is less likely to be an issue.

    One question I haven't fully answered yet is what is actually lost if the hcp: protocol is disabled. The Microsoft advisory says this:

    "Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work."

    But should I care? Everything I tried in Control Panel seemed to keep working fine. Do they mean if you or some software package put an hcp: link in there? What is there in a default XP install that actually uses hcp: protocol?

  • I haven't seen the context of this exploit-discovery-and-release mentioned. Lest we all forget: []

    Google leaks that they're moving away from Windows, cause it's insecure and it's use got them hacked by the Chinese. Microsoft says "Bah! We're more secure than anyone, we rock!". So Google publicly demonstrates evidence to the contrary that proves their point, and makes Microsoft look bizarrely incompetent. Microsoft responds by accusing Google of having the audacity to call their bluff.

    I would really like to know who this kind of doublethink hijinks work on. Doesn't Microsoft know that we form our own opinions based on information that we can get anywhere?

  • by Just Some Guy (3352) <> on Wednesday June 16, 2010 @03:20PM (#32593636) Homepage Journal

    Windows XP is released in dozens of languages with support contracts for all of them

    If the regression tests for the American English version of XP don't cover the Brazilian version of XP, then the system is hopelessly broken and the whole thing should be thrown away. Unless the bug involves some string handling function in the locale libraries, it shouldn't be harder to test 15,000 different language releases than it would be to test just one.

The sooner you fall behind, the more time you have to catch up.