Miscreants Exploit Google-Outed Windows XP Zero-Day 497
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
Dear Microsoft (Score:5, Insightful)
Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.
Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.
All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.
Re:Dear Microsoft (Score:5, Insightful)
Microsoft's negligent, lazy approach to closing security holes bit Google hard. Google is now letting Microsoft feel some of the pain. I hope that responsible journalists won't judge full disclosure solely by vendor-dictated rules -- when a software vendor has a history of problems, the spotlight should be on them, not on the people who report them.
Re:Dear Microsoft (Score:5, Informative)
Bullshit (Score:4, Insightful)
Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.
Re:Bullshit (Score:5, Insightful)
its still not a zero day exploit, and if MS felt it was critical they could have devoted teams to take care of it. MS of all companies certainly doesn't have an absence of programming talent.
So far, they sure are silent, aren't they.
Re:Bullshit (Score:5, Insightful)
Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.
Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.
Even Red Hat won't release a patch in 5 days without regression testing all the affected builds. Not only that, but he decided that during the weekend before patch Tuesday.
No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.
Re: (Score:3, Informative)
yes, lets blame the guy who finds the exploit. clearly your efforts must be focused the right way. Instead of that we still don't have a patch. Patch tuesday stuff is prepared in advance, so it's not even remotely an excuse.
Re: (Score:3, Insightful)
Re:Bullshit (Score:4, Insightful)
It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.
The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person. The only justification for delaying disclosure is if Microsoft is working maximally to fix the vulnerability. Once the information about the vulnerability was released you could disable your XP systems and wait for MS to react, or you could disable that function in your XP installation. If you have an important ("business critical") system then you of course have mitigation systems in place such as firewalls where you can change rules. This can only be done once you know about the flaw.
The fact that the vulnerability was know about for five days, but the vulnerable people were not told put them at risk, for example from inadvertent disclosure. It was Microsoft's job to convince Ormandy that they were doing enough work to justify his delay. I'm not sure about his judgement in this case; maybe there was some misunderstanding because MS security people were overloaded with other work. More likely they just aren't willing to put in enough effort to be convincing because they don't want to delay product schedules. A guarantee that "we will make every effort to resolve this within 60 days if it's as important as you say it is" would almost certainly have been enough and is certainly completely justified. In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.
Re: (Score:3, Insightful)
so keeping it secret keeps it safer how exactly? when both the malware developers already know about it and are exploiting it?
Does it make you feel safer?
It sure doesn't give you any real safety.
Before this was disclosed, it may have been well known and exploited already. So how is this any different?
Re:Bullshit (Score:4, Insightful)
No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.
Yes. Yes there is. Remember, this is Microsoft. If they actually cared, they could release a patch in hours, not days. But it isn't that high of a priority. With FOSS Software, it is often a part time project. But time is still made to fix bugs. On the other hand, Microsoft has definitely has the resources to deal with this. Normally however, they don't need to. Microsoft will just sit on bugs because it doesn't become their top priority as soon as it is verified, like such a bug should. Once on the general Web though, it does. I, for one, support full and immediate disclosure for this reason. Remember, just because Ormandy was the first to publish the vulnerability, doesn't mean he was the first to discover it, TYVM.
One other reminder from a helpful coward; Security through Obscurity, is no security at all.
A.C.
Re:Bullshit (Score:5, Insightful)
Last I heard, XP still had about 60% market share to Win7's 10%. I'd say that should dictate where their priorities are, seeing as that is where all their customers are.
(Oblig.). If Ford had sold 1 million Focus's which are now being driven, but have now released a new version and sold only a few thousand, which one should be the safety priority? The new one (should have upgraded, you jerks!), or the one which is most used on the road?
Re: (Score:3, Insightful)
Did you expect him to release a patch to uninstall Windows? It is, after all, pretty much a mindset flaw in design that allows for the exploit. In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE. Given that IE is very much an outward facing system, this means that vast parts of Windows which would otherwise be protected with simple secur
Re:Bullshit (Score:5, Insightful)
In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.
How is using HTML for documentation "shoehorning" ? A help system is pretty much a textbook example of where hyperlinking is a good idea.
Re: (Score:3, Insightful)
In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.
Wrong, wrong wrong. Trident is the component that renders HTML content (like HTML help) and that's as integrated into the system as KHTML is to KDE, and WebKit is to Mac OS X. I'm so sick of hearing bullshit like that spouted all over the place.
Re: (Score:3, Interesting)
As I said in last week's Googe/XP story (which slashdot's search engine can't find for some reason), I have no tears for Microsoft. I've hated them since the 1980s. And not just because I go-round hating inanimate objects but because they have produced inferior products that were 5-10 years behind superior products from Atari, Commodore, and Apple. They've also done everything short of murder to eliminate competition (block them from running in Windows 3/4)(or sue them in court until they were bnakrupte
You bet it's bullshit (Score:3, Informative)
Windows XP is released in dozens of languages with support contracts for all of them
If the regression tests for the American English version of XP don't cover the Brazilian version of XP, then the system is hopelessly broken and the whole thing should be thrown away. Unless the bug involves some string handling function in the locale libraries, it shouldn't be harder to test 15,000 different language releases than it would be to test just one.
Re:Bullshit (Score:5, Insightful)
heya,
Gosh, I love it how people here love to applaud Microsoft on their *spectacular* security record, and demonise all those who would dare to challenge that.
Please, Google already got bitten with Microsoft's shonky products and poor security in the past, my guess is that Google/Ormandy felt that they were already at risk from this exploit from malicious people in the wild, so they might as well get it out there, so that at least people could be aware of it. It's a public service, for crying out loud.
Remember, just because Ormandy was the first to publicise the exploit, certainly doesn't mean that he was the first to find it. In fact, statistically, the odds are stacked quite against that. Look, full-disclosure has already been proven to be the method that works. And shonky vendors, who are too lazy to look after their users will try and demonise full-disclosure all they like, but at the end of the day, it just looks like them covering their behinds.
You can come out and be a stupid little prat and insult Ormandy all you want, but at the end of the day, you've done...err...squat? I don't remember seeing any security disclosures published by "hairyfeet". Compare to him, and other security researches, I have a feeling both you and I know squat all. I certainly couldn't have found the exploit, even if I was looking.
At least this way, people *know* about the exploit, and it's visible. Better the devil you know, than the one you don't, and all that. Look, if your computer got hit with a drive-by-exploit, and you *didn't* know about about it, are you honestly telling me you'd be happier? You should be thanking security researchers like this, who shine a light on the swiss cheese that is Microsoft's security (yes, this is Windows XP, so perhaps things have improved. I'm not in a position to comment).
Cheers,
Victor
Re: (Score:3, Insightful)
Re:Bullshit (Score:5, Insightful)
Of course not. He expects them to fix their software. There's a difference. It's not his fault there's a fucking bug. Microsoft doesn't have to deal with "him". They just have to deal with their software.
Re: (Score:3, Insightful)
If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.
If so, that is pretty damning of Ormandy -- that he thought 60 days was an appropriate timeframe for a fix, and even thinking it was reasonable for a fix to take that long decided to publicise it after only 5 days. Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.
Re:Dear Microsoft (Score:4, Informative)
That's not at all what happened. What happened was:
Tavis: "I found a critical flaw, will you fix it in 60 days?"
Microsoft: "Hmm, we'll take a look and get back to you with a timetable on Friday"
Tavis: "Not good enough". Released to the wild.
Cite: TFA.
Re:Dear Microsoft (Score:4, Informative)
Cite: TFA.
Except you're lying. TFA, which I've actually read, has only this to say :
"I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
Re: (Score:3, Insightful)
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready. That's blackmail. Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.
"I feel you should be able to release
Re: (Score:3, Insightful)
That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready.
You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.
In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop
Re: (Score:3, Insightful)
That's blackmail.
I do not think that word means what you think it means. He didn't threaten them to achieve gain, his endgame action was of showing his hand , so he's actually gotten rid of his leverage. How exactly do you figure that was an act of blackmail?
When and if my customers' PCs get owned by this, I will blame the exploit discoverer.
This is where your bias and lack of reasoning becomes obvious. The responsibility is always on the one who develops the exploit, or the ones who take advantage of the exploit. Now that you know what to do, if you feel responsible for your customers help them secure
Re: (Score:3, Insightful)
The exploit had remained unknown for nine years
How do we know some black hat didn't discover it eight years ago and kept it to himself and used it for his own gain?
Re: (Score:3, Interesting)
The right thing to do would have been:
1. Try to negotiate a timeline. When that fails (say in 3-4 days):
2. Suggest MS to disable the hlp resource locator immediately. When that advice is ignored:
3. Ultimatum to MS: existence of flaw will be disclosed. Give MS opportunity (2 days) to issue the press release. When that fails to happen:
4. Warn public of the flaw (no exploit). This will put pressure on MS. (From others too.)
Give last warning to MS regarding timeline negotiations. If this still not forces
Re: (Score:3, Funny)
Cite: TFA.
What is this "TFA" of which you speak?
Re: (Score:3, Insightful)
Since I've been modded down... (Score:5, Insightful)
And I really don't understand why, I'll quote the article
"Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."
So, FULL DISCLOSURE allows the hole to be fixed possibly TWO MONTHS sooner. It effectively forced Microsoft's hand. This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?
Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
Like I said, they played chicken and lost (I imagine the fix ended up costing). The "other" security researchers are either doing some really good drugs, or they are sucking Microsoft's teat (and, from the article, at least one of quoted researchers is).
Re: (Score:3, Insightful)
Of course it was fixed two months sooner. It was out in the wild, whereas beforehand it was not.
A security exploit that's readily known is going to be a much higher priority than one that isn't.
Re:Since I've been modded down... (Score:4, Insightful)
This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?
Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
This gives users an guaranteed exploit that they otherwise only had a potential risk of having. Instead of maybe someone else finding this exploit that's been lurking in the code for nine years, we now have the glorious option of knowing about and implementing an out-of-schedule fix, or definitely being exposed.
That's right. The risk has gone from trivial (no known exploit) to significant (known exploit). Orders of magnitude? No. Effectively zero to arbitrarily non-zero is basically infinitely worse.
Users and admins both lose here.
Re: (Score:3, Insightful)
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
That's only true if you think that the timing of the Google engineer's release of the hole and people beginning to exploit it is entirely coincidental. On the other hand if you think there might be a causal link to explain the exploit appearing shortly after he told everyone how to exploit it, admins are in fact more vulnerable now.
And comparing the "response times" is only possible if you think that the two responses - releasing a hotfix that removes functionality and releasing an update that fixes the pro
Re:Dear Microsoft (Score:5, Interesting)
Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.
Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.
Re: (Score:3, Informative)
As the GP post stated, this is more like Google lashing out at MS, which again, is childish and indicates a company that I don't really want to do business with.
However you feel about the action, it was done by a specific Google employer, not by Google as a company. So far as I know, Google itself has not taken any official stance in it, and did not back the disclosure. So let's not get into conspiracy theories here.
Re: (Score:3, Insightful)
Back in 'Computer Science 101' we spent a lot of time doing 'internal testing' and 'external testing' of our programs. When done correctly you are 100% guaranteed that the program does exactly what it is supposed to do
Wow... just... wow. I take it you're now in upper-level management? Yes, for *very* small programs, that do *very* little, this is feasible. But when you get to real programs of real world size, this is simply not done (unless you work for NASA).
You came close to hitting the nail on the head with "just don't care enough to allocate the time" -- since I sincerely doubt their customers would care to pay $50,000+ per copy of Windows, and sacrifice the performance, features, and decade(s)-long delays that wo
Re:Dear Microsoft (Score:5, Interesting)
Re: (Score:2)
I hope you realize Patch Tuesday wasn't Microsoft's idea. Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.
Re:Dear Microsoft (Score:5, Insightful)
Given the prevalence of bots in corporate networks, perhaps they shouldn't be given that kind of pull over the security of everybody else.
Re: (Score:2)
Whether it's their idea or not, it's a horrible idea
But at the end of the day, if the customers ask for it, you give it to them. I have worked in corp land, and honestly i can fully understand it, having to do full testing cycles to ensure it won't impact on current workflows, take workstations offline or softwares used by the staff. Depending on the amount of software / image types you have, this can take 1-2 weeks, having to start a testing cycle everyday increases the man hours needed to insane amounts. In the end, when a cycle like that patches that aren
Re:Dear Microsoft (Score:4, Insightful)
Whether it's their idea or not, it's a horrible idea
But at the end of the day, if the customers ask for it, you give it to them.
But like he said, just give them a tool that ques up the patches. Allow them to set an update policy that holds off until X day, or bi-weekly, etc. Meanwhile, push patches to the home users as they come. They don't have an IT department to inform and protect them, holding back grandma's critical updates likely does more harm than good.
Re:Dear Microsoft (Score:5, Insightful)
The issue is that the bad guys reverse engineer the patches as they come and then they target the unpatched systems immediately. Hence it's better to release the patch es as a bundle on a single day.
Re: (Score:2)
Re: (Score:3, Informative)
Generally, the release of a patch causes the creation of an exploit. Non-publicly-disclosed security holes become disclosed to the people who matter the minute the patch is released. They can disassemble and analyze the patch apart and write an exploit in a few days. So if a company queues up Microsoft's patches and installs them once a month, they're continuously vulnerable to up to month worth of public security holes.
Re:Dear Microsoft (Score:5, Insightful)
But that's their choice.
If everybody else wants to be secure, they can be, and to hell with the whiney "we can't do this more than once a month, because we're incompetent" corporations. Those corporations can queue updates themselves, if they want. Everything released in the last month gets tested.
Everybody else should have the option of installing the updates as soon as they're finished.
But, as usual, the security-idiot blowhards get to dictate policy for the rest of the world.
Re:Dear Microsoft (Score:4, Interesting)
I can tell you've been in corp land.
1) You used "at the end of the day." People who say that should be shot, and you took the time to type it. I copy/pasted.
2) You want things that aren't predictable to be predictable. Just put whatever's new in the current testing cycle and go.
3) I'm pretty sure "insane amounts" is not a very good estimate, I'd be interested in some real numbers. Especially if you consider the "put whatever's new in the current testing cycle and go" part.
4) "Makes problems worse in the long run" is also most likely hyperbole. If your policy is to test what you can, when you can, then I don't see how Microsoft's schedule impacts you at all. You're already backlogged. Does it matter whether you're testing 3 patches or 20? I mean, you're not going to fall behind Microsoft's release schedule, so you're not going to be falling behind, so what does it matter whether the patch is released on Thursday or Tuesday - you can sit on the Thursday patches until next Tuesday if you want, only now the delay is on your side instead of Microsoft.
So overall, you would rather Microsoft to hold things up on their end. When a virus outbreak happens you can say "the vendor hasn't released the patch" or "we didn't complete testing of the patch". That absolves you of responsibility. If Microsoft releases as fixes are finished, you have to fit an unscheduled release pattern into a rigidly defined cycle, and are at risk. Instead of worrying about your clients and users, you are worried about liability.
I say give me the patches as soon as you have them, I'll test and release them internally when I can. Most of the time that's going to be faster, occasionally something might be delayed for whatever reason.
And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?
Re: (Score:2)
Re: (Score:2)
Well they do have a tool to allow corporations to decide when to push patches - WSUS. And any organisation large or savvy enough to be testing patches before deploying them to workstations is going to be using it.
I think the reason for the Patch Tuesday release is to avoid disclosing the vulnerability to all and sundry. Otherwise, if the company doesn't want /to cannot test and deploy patches whenever they get released, there's going to be a period of time during which they have a vulnerability which is no
Re: (Score:2)
I think you are missing the reasoning. They already have a tool for it. WSUS server. It works great and they can roll out whatever patches they want, when ever they want easily.
A big corp may have thousands of in-house apps, or specialty apps. They need to test those against any new patches MS rolls out so the new patch doesn't break critical things and cause them mega dollars in downtime. If MS releases a patch Monday they start up their testing scheme, which may take a few weeks to run if they have th
Re: (Score:2, Interesting)
Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.
Yes, it's the customers' fault that even the MS patches can be buggy, isn't it? Also, customers are also to blame because applying a security patch requires a reboot.
Re:Dear Microsoft (Score:5, Informative)
You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'
As far as pushing this to users automatically, people get angry when you break shit without asking them.
Re: (Score:2)
huh? it's a security flaw that is being exploited in the wild.. pushing out hotfixes for stuff like that is what Windows Update is for.
Re: (Score:3, Insightful)
Easy to say.
But Win XP has a global market share of 63%. Something like 500 million users - at all skill levels.
What happens to them when you disable part of the help system?
Re: (Score:3, Insightful)
I think you're oversimplifying.
.
On getting notified of the issue, MS would have to make an assessment -- how many systems have the feature, how often is this feature used, how complicated would it be to develop an exploit, is there currently an exploit in the wild, what is the result of the exploit (data loss, denial of service, admin access, etc.), are there any mitigating factors, how much time would it take to develop a fix, how much time would it take to test the fix, etc. Rolling back a second -- the
Nice quote. (Score:5, Funny)
Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software.
Ballmer should be able to spin that into a win: "To be safe, all XP users are advised to avoid open source software stuff. It has viruses."
Re: (Score:2)
Unbelieviable (Score:3, Funny)
Let me get this straight... (Score:4, Funny)
5 days spent trying to get a fix within 60 days (Score:3, Informative)
Re: (Score:3, Interesting)
Yeah, he's not nearly as mean as I would be. I would demand actual action within that 5 days.. including pushing out a patch to disable the vulnerable code.
Re:5 days spent trying to get a fix within 60 days (Score:5, Interesting)
I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225 [seclists.org]
From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."
For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx [microsoft.com]
Re: (Score:3, Interesting)
Re: (Score:2)
Then give MS an ultimatum that you'll release the exploit in 60 days if they ignore it. It gives you the same result you were looking for and reduces the chance of a wild exploit.
Giving them 5 days to set a priority on an exploit when they have to deal with hundreds, if not thousands of exploit reports per patch cycle, then releasing exploit code because you didn't like the answer they gave you is not helping your case, Microsoft, or the internet for that matter.
Re: (Score:3, Interesting)
Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them. First rule of tactics: never ever tell your enemy what you plan to do and then turn around and give him time to organize a reaction to your plans. The only thing that gets you is jumped from behind by the ambushes your enemy's set up along the route you told him
JUNE 15th... (Score:4, Funny)
Microsoft: are you pleased with yourself? (Score:3, Insightful)
This is a question that should really be asked of Microsoft
Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.
He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?
If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?
Re:Microsoft: are you pleased with yourself? (Score:4, Interesting)
It's not just Microsoft... the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff.. well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online. You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.
Re:Microsoft: are you pleased with yourself? (Score:5, Informative)
Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.
The elephant in the room (Score:5, Funny)
Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.
Begging the question: was it Slashdot?
[/humor]
Re:The elephant in the room (Score:5, Insightful)
Begging the question: was it Slashdot?
No, it was a site dedicated to open source software, not poorly edited sensationalistic articles and tired jokes.
hcp protocol (Score:5, Interesting)
I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).
I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.
Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.
Yeah... (Score:4, Insightful)
NOT zero day attack. (Score:5, Insightful)
Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.
Ormandy did excercise responsible disclosure (Score:5, Insightful)
Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.
Re:Ormandy did excercise responsible disclosure (Score:4, Interesting)
you are assuming his system would be safer when in fact it is NOT.
Re:Ormandy did excercise responsible disclosure (Score:5, Informative)
So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS
This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.
Had he kept his mouth shut, your systems would be safer.
No, they would seem safer, but be less safe.
Re: (Score:3, Informative)
No they wouldn't be any safer.
This exploit has been known about in security circles for AGES.
And MS has had several warnings, one from myself included, about four years ago.
Re:Ormandy did excercise responsible disclosure (Score:4, Funny)
I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...
I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...
I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...
I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...
Re:Ormandy did excercise responsible disclosure (Score:5, Insightful)
Yes, Microsoft's rules for "responsible disclosure" are undoubtably "Don't mention this to anybody. Ideally including us. Just shut up and ignore the problem.". But that's not the definition of responsible disclosure the rest of us use, and Microsoft isn't the one who sets the rules for the rest of us. Unless Microsoft can pull out a signed contract where Ormandy agreed to abide by their rules, and I doubt they can.
Re:Ormandy did excercise responsible disclosure (Score:4, Informative)
Article ID: 2219475 - Vulnerability in Help Center could allow remote code execution [microsoft.com]. The related security advisory was first posted June 10th, and the KB article with the FixIt in it was first referred to on June 11th.
Services.msc, use it! (Score:5, Informative)
Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.
So you can disable that service and be at east that nothing is going to happen to you or your users.
Re: (Score:3, Interesting)
So why didn't Microsoft push out that command via Windows Update as soon as the bug was reported? They have the power to prevent a single user from being attacked by this vector, why didn't they? They could even make the message more informative.
Re: (Score:2)
MicroSilly (Score:2, Insightful)
Well, I'm not Tavis (Score:2)
Of course, I might also be "pleased with myself" if my employer had a policy of huge bonuses for published zero day exploits. I dunno whether this happens or not, just sayin' I'd be very pleased to get such a bonus, and would work quite hard to try to get another
Mitigation? (Score:4, Informative)
My understanding is that Firefox disables hcp:// by default:
network.protocol-handler.external.hcp = false
And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?
Dear Ford Owner (Score:3, Insightful)
I've just found a way of easily opening and starting your Ford using common household tools.
I'd love to tell you how it's done so that you can take measures to protect yourself, but you know, it would be irresponsible of me to give you that information.
No, the responsible thing to do is to let Ford know, secretly, and give them as much time as they need to investigate it and issue a recall to fix the problem. If they feel like admitting to it. And if they don't, I'll keep quiet indefinitely, just in case I'm the only person in the world who can figure it out, ever.
If your Ford gets being stolen in the meantime because someone else figured it out, or already knew, then that's just an acceptable consequence of my responsibility, which is apparently to Ford, the company that created the problem in the first place and profited by selling a defective product, not to you, Ford's customer, the victim.
Fair enough?
This is a big "Told You So" (Score:3, Informative)
I haven't seen the context of this exploit-discovery-and-release mentioned. Lest we all forget:
http://news.cnet.com/8301-30684_3-20006509-265.html [cnet.com]
Google leaks that they're moving away from Windows, cause it's insecure and it's use got them hacked by the Chinese. Microsoft says "Bah! We're more secure than anyone, we rock!". So Google publicly demonstrates evidence to the contrary that proves their point, and makes Microsoft look bizarrely incompetent. Microsoft responds by accusing Google of having the audacity to call their bluff.
I would really like to know who this kind of doublethink hijinks work on. Doesn't Microsoft know that we form our own opinions based on information that we can get anywhere?
Re: (Score:3, Interesting)
The bad guys have been using the flaw for years.. it's just the bottom feeders who are allowed by the cartel to have a go now.
5 days is more than enough time for Microsoft to release a hotfix and disable the vulnerable code.
Re:The bad guys thank you Tavis. (Score:5, Informative)
Re:The bad guys thank you Tavis. (Score:5, Insightful)
Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.
Re:The bad guys thank you Tavis. (Score:5, Insightful)
It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.
Re: (Score:3, Interesting)
So let me get this straight ... what you're saying is ... handing out guns to every random passer-by is a good way to teach gun safety and prevent murder by shooting?
That has to qualify as one of the most ignorant statements I've ever seen.
Re: (Score:3, Insightful)
I'm not sure the analogy is a good one.
This isn't cars (sorry), but this is how I see it: if your city tap water was discovered to have a high amount of lead in it in the latest round of tests, what would you do? Tell everyone "Hey, there's probably lead in your water, you should make sure you filter it or use bottled water for the next week until we get our filtration systems fixed." or do you wait a month and test the systems again and see if there is still lead before issuing a statement?
The only people
Re: (Score:3, Insightful)
It only seems contradictory for people who don't understand the meaning and implication of true full disclosure. Everyone else understands how security through obscurity rips of the consumers and transparency is the only thing that allows users to have the information they need to make optimal decisions about what software to buy.
Re:This is classic Tavis. (Score:4, Insightful)
The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.
Re: (Score:3, Interesting)
I do believe this proves otherwise. What was a previously unknown bug, not being exploited has now turned into machines getting exploited, and it took what? Less than a day? Full disclosure is irresponsible.
Re:This is classic Tavis. (Score:5, Insightful)
You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.
Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.
Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.
Re: (Score:3, Interesting)
I wouldn't have been surprised if it was actually one of the ad servers the site uses.