Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Google Microsoft IT

Miscreants Exploit Google-Outed Windows XP Zero-Day 497

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
This discussion has been archived. No new comments can be posted.

Miscreants Exploit Google-Outed Windows XP Zero-Day

Comments Filter:
  • Dear Microsoft (Score:5, Insightful)

    by QuantumG ( 50515 ) * <qg@biodome.org> on Tuesday June 15, 2010 @08:56PM (#32586328) Homepage Journal

    Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

    Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

    All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

    • Re:Dear Microsoft (Score:5, Insightful)

      by Entrope ( 68843 ) on Tuesday June 15, 2010 @09:05PM (#32586380) Homepage

      Microsoft's negligent, lazy approach to closing security holes bit Google hard. Google is now letting Microsoft feel some of the pain. I hope that responsible journalists won't judge full disclosure solely by vendor-dictated rules -- when a software vendor has a history of problems, the spotlight should be on them, not on the people who report them.

      • Re:Dear Microsoft (Score:5, Informative)

        by hedwards ( 940851 ) on Tuesday June 15, 2010 @09:13PM (#32586428)
        If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.
        • Bullshit (Score:4, Insightful)

          by Anonymous Coward on Tuesday June 15, 2010 @10:08PM (#32586800)

          Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.

          • Re:Bullshit (Score:5, Insightful)

            by poetmatt ( 793785 ) on Tuesday June 15, 2010 @10:27PM (#32586892) Journal

            its still not a zero day exploit, and if MS felt it was critical they could have devoted teams to take care of it. MS of all companies certainly doesn't have an absence of programming talent.

            So far, they sure are silent, aren't they.

            • Re:Bullshit (Score:5, Insightful)

              by Anpheus ( 908711 ) on Tuesday June 15, 2010 @10:36PM (#32586964)

              Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

              Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

              Even Red Hat won't release a patch in 5 days without regression testing all the affected builds. Not only that, but he decided that during the weekend before patch Tuesday.

              No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

              • Re: (Score:3, Informative)

                by poetmatt ( 793785 )

                yes, lets blame the guy who finds the exploit. clearly your efforts must be focused the right way. Instead of that we still don't have a patch. Patch tuesday stuff is prepared in advance, so it's not even remotely an excuse.

                • Re: (Score:3, Insightful)

                  by logjon ( 1411219 )
                  It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.
                  • Re:Bullshit (Score:4, Insightful)

                    by rtfa-troll ( 1340807 ) on Wednesday June 16, 2010 @01:39AM (#32587888)

                    It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.

                    The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person. The only justification for delaying disclosure is if Microsoft is working maximally to fix the vulnerability. Once the information about the vulnerability was released you could disable your XP systems and wait for MS to react, or you could disable that function in your XP installation. If you have an important ("business critical") system then you of course have mitigation systems in place such as firewalls where you can change rules. This can only be done once you know about the flaw.

                    The fact that the vulnerability was know about for five days, but the vulnerable people were not told put them at risk, for example from inadvertent disclosure. It was Microsoft's job to convince Ormandy that they were doing enough work to justify his delay. I'm not sure about his judgement in this case; maybe there was some misunderstanding because MS security people were overloaded with other work. More likely they just aren't willing to put in enough effort to be convincing because they don't want to delay product schedules. A guarantee that "we will make every effort to resolve this within 60 days if it's as important as you say it is" would almost certainly have been enough and is certainly completely justified. In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.

              • Re:Bullshit (Score:4, Insightful)

                by Anonymous Coward on Wednesday June 16, 2010 @12:16AM (#32587502)

                No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

                Yes. Yes there is. Remember, this is Microsoft. If they actually cared, they could release a patch in hours, not days. But it isn't that high of a priority. With FOSS Software, it is often a part time project. But time is still made to fix bugs. On the other hand, Microsoft has definitely has the resources to deal with this. Normally however, they don't need to. Microsoft will just sit on bugs because it doesn't become their top priority as soon as it is verified, like such a bug should. Once on the general Web though, it does. I, for one, support full and immediate disclosure for this reason. Remember, just because Ormandy was the first to publish the vulnerability, doesn't mean he was the first to discover it, TYVM.

                One other reminder from a helpful coward; Security through Obscurity, is no security at all.

                A.C.

              • Re: (Score:3, Insightful)

                ... and he then went on to release a hotfix which didn't actually fix the bug.

                Did you expect him to release a patch to uninstall Windows? It is, after all, pretty much a mindset flaw in design that allows for the exploit. In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE. Given that IE is very much an outward facing system, this means that vast parts of Windows which would otherwise be protected with simple secur

                • Re:Bullshit (Score:5, Insightful)

                  by drsmithy ( 35869 ) <drsmithy@gm[ ].com ['ail' in gap]> on Wednesday June 16, 2010 @02:57AM (#32588200)

                  In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

                  How is using HTML for documentation "shoehorning" ? A help system is pretty much a textbook example of where hyperlinking is a good idea.

                • Re: (Score:3, Insightful)

                  by Kalriath ( 849904 )

                  In an effort to make the IE a critical part of Windows, all sorts of components of Windows (like the help system) have been shoehorned into IE.

                  Wrong, wrong wrong. Trident is the component that renders HTML content (like HTML help) and that's as integrated into the system as KHTML is to KDE, and WebKit is to Mac OS X. I'm so sick of hearing bullshit like that spouted all over the place.

              • Re: (Score:3, Interesting)

                As I said in last week's Googe/XP story (which slashdot's search engine can't find for some reason), I have no tears for Microsoft. I've hated them since the 1980s. And not just because I go-round hating inanimate objects but because they have produced inferior products that were 5-10 years behind superior products from Atari, Commodore, and Apple. They've also done everything short of murder to eliminate competition (block them from running in Windows 3/4)(or sue them in court until they were bnakrupte

              • Windows XP is released in dozens of languages with support contracts for all of them

                If the regression tests for the American English version of XP don't cover the Brazilian version of XP, then the system is hopelessly broken and the whole thing should be thrown away. Unless the bug involves some string handling function in the locale libraries, it shouldn't be harder to test 15,000 different language releases than it would be to test just one.

        • Re: (Score:3, Insightful)

          by williamhb ( 758070 )

          If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

          If so, that is pretty damning of Ormandy -- that he thought 60 days was an appropriate timeframe for a fix, and even thinking it was reasonable for a fix to take that long decided to publicise it after only 5 days. Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.

        • Re:Dear Microsoft (Score:5, Interesting)

          by guruevi ( 827432 ) on Tuesday June 15, 2010 @11:16PM (#32587172)

          Reminds me of a flaw one of my co-workers once found in IIS with ASP.NET. A site on a shared hosting environment could 'root' the IIS service and control all other sites and applications running within IIS even if the configuration had separated them. He reported it but it didn't get fixed for years (it might still not be). He didn't want to publish it though because the company was a Microsoft Gold Partner and both he and the company had a very symbiotic relationship with Microsoft and Microsoft likes to gag everyone in those partnerships that dares to speak against them.

          Microsoft will not fix obscure problems even if you report it to them - they must be living on a huge database of reported issues that could potentially ruin their customers. That's both the benefit and the drawbacks of closed source - nobody will know the problem exists but nobody will be around to fix it either.

    • Re:Dear Microsoft (Score:5, Interesting)

      by hedwards ( 940851 ) on Tuesday June 15, 2010 @09:06PM (#32586396)
      That's the thing MS cries and whines whenever they're outed for being insecure, but when they aren't it seems to take an interminable period of time for them to actually patch the bug. Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents. They still expect to be able to hold onto fixes until patch Tuesday and hope that nobody notices till then.
      • I hope you realize Patch Tuesday wasn't Microsoft's idea. Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.

        • Re:Dear Microsoft (Score:5, Insightful)

          by hedwards ( 940851 ) on Tuesday June 15, 2010 @09:20PM (#32586482)
          Whether it's their idea or not, it's a horrible idea. Patches should be released as soon as they're finish, as in finished and received reasonable review. Holding back patches for known flaws is ultimately irresponsible behavior. If a corporation doesn't want to do so constantly, then so be it, give them a tool to do it in that fashion. But as is it's terribly irresponsible.

          Given the prevalence of bots in corporate networks, perhaps they shouldn't be given that kind of pull over the security of everybody else.
          • Whether it's their idea or not, it's a horrible idea

            But at the end of the day, if the customers ask for it, you give it to them. I have worked in corp land, and honestly i can fully understand it, having to do full testing cycles to ensure it won't impact on current workflows, take workstations offline or softwares used by the staff. Depending on the amount of software / image types you have, this can take 1-2 weeks, having to start a testing cycle everyday increases the man hours needed to insane amounts. In the end, when a cycle like that patches that aren

            • Re:Dear Microsoft (Score:4, Insightful)

              by ArbitraryDescriptor ( 1257752 ) on Tuesday June 15, 2010 @09:48PM (#32586680)

              Whether it's their idea or not, it's a horrible idea

              But at the end of the day, if the customers ask for it, you give it to them.

              But like he said, just give them a tool that ques up the patches. Allow them to set an update policy that holds off until X day, or bi-weekly, etc. Meanwhile, push patches to the home users as they come. They don't have an IT department to inform and protect them, holding back grandma's critical updates likely does more harm than good.

            • by tsm_sf ( 545316 )
              What's the difference between waiting a week in-house and waiting a week for Microsoft?
              • Re: (Score:3, Informative)

                by Anonymous Coward

                Generally, the release of a patch causes the creation of an exploit. Non-publicly-disclosed security holes become disclosed to the people who matter the minute the patch is released. They can disassemble and analyze the patch apart and write an exploit in a few days. So if a company queues up Microsoft's patches and installs them once a month, they're continuously vulnerable to up to month worth of public security holes.

                • Re:Dear Microsoft (Score:5, Insightful)

                  by cbiltcliffe ( 186293 ) on Tuesday June 15, 2010 @10:31PM (#32586928) Homepage Journal

                  But that's their choice.
                  If everybody else wants to be secure, they can be, and to hell with the whiney "we can't do this more than once a month, because we're incompetent" corporations. Those corporations can queue updates themselves, if they want. Everything released in the last month gets tested.

                  Everybody else should have the option of installing the updates as soon as they're finished.

                  But, as usual, the security-idiot blowhards get to dictate policy for the rest of the world.

            • Re:Dear Microsoft (Score:4, Interesting)

              by b4dc0d3r ( 1268512 ) on Tuesday June 15, 2010 @10:36PM (#32586960)

              I can tell you've been in corp land.

              1) You used "at the end of the day." People who say that should be shot, and you took the time to type it. I copy/pasted.
              2) You want things that aren't predictable to be predictable. Just put whatever's new in the current testing cycle and go.
              3) I'm pretty sure "insane amounts" is not a very good estimate, I'd be interested in some real numbers. Especially if you consider the "put whatever's new in the current testing cycle and go" part.
              4) "Makes problems worse in the long run" is also most likely hyperbole. If your policy is to test what you can, when you can, then I don't see how Microsoft's schedule impacts you at all. You're already backlogged. Does it matter whether you're testing 3 patches or 20? I mean, you're not going to fall behind Microsoft's release schedule, so you're not going to be falling behind, so what does it matter whether the patch is released on Thursday or Tuesday - you can sit on the Thursday patches until next Tuesday if you want, only now the delay is on your side instead of Microsoft.

              So overall, you would rather Microsoft to hold things up on their end. When a virus outbreak happens you can say "the vendor hasn't released the patch" or "we didn't complete testing of the patch". That absolves you of responsibility. If Microsoft releases as fixes are finished, you have to fit an unscheduled release pattern into a rigidly defined cycle, and are at risk. Instead of worrying about your clients and users, you are worried about liability.

              I say give me the patches as soon as you have them, I'll test and release them internally when I can. Most of the time that's going to be faster, occasionally something might be delayed for whatever reason.

              And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?

          • Actually, MS has a nice thing called Microsoft Supplimental Update Services (basically allowed admins to set up a server to act as a local repository for all things MS Patch related). Having set up a few in my time, it was really handy for testing on small groups (I actually had set it up to do initial pushes to techs and sys admins first, then IT department, and wouldn't authorize patches for everyone else until I was satisfied that the patches wouldn't bork everything). It was also nice since you could
          • Well they do have a tool to allow corporations to decide when to push patches - WSUS. And any organisation large or savvy enough to be testing patches before deploying them to workstations is going to be using it.

            I think the reason for the Patch Tuesday release is to avoid disclosing the vulnerability to all and sundry. Otherwise, if the company doesn't want /to cannot test and deploy patches whenever they get released, there's going to be a period of time during which they have a vulnerability which is no

          • I think you are missing the reasoning. They already have a tool for it. WSUS server. It works great and they can roll out whatever patches they want, when ever they want easily.

            A big corp may have thousands of in-house apps, or specialty apps. They need to test those against any new patches MS rolls out so the new patch doesn't break critical things and cause them mega dollars in downtime. If MS releases a patch Monday they start up their testing scheme, which may take a few weeks to run if they have th

        • Re: (Score:2, Interesting)

          by c0lo ( 1497653 )

          Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.

          Yes, it's the customers' fault that even the MS patches can be buggy, isn't it? Also, customers are also to blame because applying a security patch requires a reboot.

    • Re:Dear Microsoft (Score:5, Informative)

      by pyrbrand ( 939860 ) on Tuesday June 15, 2010 @09:34PM (#32586586)

      You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'

      As far as pushing this to users automatically, people get angry when you break shit without asking them.

      • by QuantumG ( 50515 ) *

        huh? it's a security flaw that is being exploited in the wild.. pushing out hotfixes for stuff like that is what Windows Update is for.

    • Re: (Score:3, Insightful)

      by westlake ( 615356 )
      Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

      Easy to say.

      But Win XP has a global market share of 63%. Something like 500 million users - at all skill levels.

      What happens to them when you disable part of the help system?

    • Re: (Score:3, Insightful)

      by dhavleak ( 912889 )

      I think you're oversimplifying.
      .

      On getting notified of the issue, MS would have to make an assessment -- how many systems have the feature, how often is this feature used, how complicated would it be to develop an exploit, is there currently an exploit in the wild, what is the result of the exploit (data loss, denial of service, admin access, etc.), are there any mitigating factors, how much time would it take to develop a fix, how much time would it take to test the fix, etc. Rolling back a second -- the

  • Nice quote. (Score:5, Funny)

    by ArbitraryDescriptor ( 1257752 ) on Tuesday June 15, 2010 @09:01PM (#32586358)

    Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software.

    Ballmer should be able to spin that into a win: "To be safe, all XP users are advised to avoid open source software stuff. It has viruses."

    • He's right about that. If they do that then they'll never get onto that nasty virus infested interweb I keep hearing about. Seeing as most OSes have relied upon the open source TCP/IP stack from BSD and a significant portion of websites are served via the likes of Apache and similar open source programs.
  • by Jean-Luc Picard ( 1525351 ) on Tuesday June 15, 2010 @09:07PM (#32586400)
    A security flaw being exploited, via the Internet no less ! I am shocked and outraged ! /s
  • by pem ( 1013437 ) on Tuesday June 15, 2010 @09:12PM (#32586422)
    Google is supposed to learn morals from Microsoft and its toadies?
  • by msbhvn ( 1162657 ) on Tuesday June 15, 2010 @09:13PM (#32586432)
    According to this tweet: http://twitter.com/taviso/status/16005411316 [twitter.com] Those 5 days were spent trying to negotiate a fix within 60 days. So much for the 'he only gave them 5 days!' arguments.
    • Re: (Score:3, Interesting)

      by QuantumG ( 50515 ) *

      Yeah, he's not nearly as mean as I would be. I would demand actual action within that 5 days.. including pushing out a patch to disable the vulnerable code.

    • by shird ( 566377 ) on Tuesday June 15, 2010 @09:29PM (#32586552) Homepage Journal

      I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225 [seclists.org]

      From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
      Microsoft I would be publishing this advisory in mid August during
      correspondance (late June) and received no objections."

      For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx [microsoft.com]

      • Re: (Score:3, Interesting)

        by codegen ( 103601 )
        At least You and Ormandy got a response. My group found a security hole in the OSPF router in Windows 2000 Server around 2003. We sent the details into Microsoft and we never got a response. You would think a security report from the Canadian military would at least rate a "we have received your report and are investigating"
    • Then give MS an ultimatum that you'll release the exploit in 60 days if they ignore it. It gives you the same result you were looking for and reduces the chance of a wild exploit.

      Giving them 5 days to set a priority on an exploit when they have to deal with hundreds, if not thousands of exploit reports per patch cycle, then releasing exploit code because you didn't like the answer they gave you is not helping your case, Microsoft, or the internet for that matter.

      • Re: (Score:3, Interesting)

        by Todd Knarr ( 15451 )

        Right. They've already made their position clear by refusing to even discuss when they'll be fixing it. Give them 60 days and they'll probably simply arrange for a nice smear campaign about how you're trying to use the vulnerability to extort them. First rule of tactics: never ever tell your enemy what you plan to do and then turn around and give him time to organize a reaction to your plans. The only thing that gets you is jumped from behind by the ambushes your enemy's set up along the route you told him

  • by mbeckman ( 645148 ) on Tuesday June 15, 2010 @09:15PM (#32586442)
    A day that will live in Ormandy.
  • by mrsam ( 12205 ) on Tuesday June 15, 2010 @09:15PM (#32586448) Homepage

    This is a question that should really be asked of Microsoft

    Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.

    He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?

    If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?

    • by QuantumG ( 50515 ) * <qg@biodome.org> on Tuesday June 15, 2010 @09:25PM (#32586526) Homepage Journal

      It's not just Microsoft... the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff.. well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online. You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.

    • by Todd Knarr ( 15451 ) on Tuesday June 15, 2010 @09:33PM (#32586578) Homepage

      Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.

  • by Ironchew ( 1069966 ) on Tuesday June 15, 2010 @09:18PM (#32586474)

    Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.

    Begging the question: was it Slashdot?
    [/humor]

  • hcp protocol (Score:5, Interesting)

    by shird ( 566377 ) on Tuesday June 15, 2010 @09:21PM (#32586488) Homepage Journal

    I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).

    I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.

    Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.

  • Yeah... (Score:4, Insightful)

    by Greyfox ( 87712 ) on Tuesday June 15, 2010 @09:24PM (#32586522) Homepage Journal
    Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.
  • by slashkitty ( 21637 ) on Tuesday June 15, 2010 @09:25PM (#32586534) Homepage
    This is a 5 day attack. MS had 5 days warning... and maybe a few more before others were exploiting it.

    Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.

  • by Todd Knarr ( 15451 ) on Tuesday June 15, 2010 @09:26PM (#32586536) Homepage

    Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

  • by jack2000 ( 1178961 ) on Tuesday June 15, 2010 @09:34PM (#32586588)
    HA help and support center, i've had that service disabled since i installed this thing long ago! If you try to run anything with the hcp protocol it flatout tells you:

    Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.

    So you can disable that service and be at east that nothing is going to happen to you or your users.

    • Re: (Score:3, Interesting)

      by QuantumG ( 50515 ) *

      So why didn't Microsoft push out that command via Windows Update as soon as the bug was reported? They have the power to prevent a single user from being attacked by this vector, why didn't they? They could even make the message more informative.

      • not something Microsoft would want to do, even though the Help and support center is of questionable use. That's why i disabled it in the first place.
  • MicroSilly (Score:2, Insightful)

    BUYER be Aware. Is that enough said? Oh well it will make some more time for the MS admins out there. I wonder if they don't just leave this crap out there to continue to support their partners? I have over ten years on Linux as mostly a home user. I guess it is a case of "Stupid is as Stupid does". Peace Yall.
  • but if I had done what he did (negotiated diligently yet fruitlessly with MS for five days), I would probably reserve judgment for whether or not I was "pleased with myself" until I saw how Microsoft acted when they received my next bug report...

    Of course, I might also be "pleased with myself" if my employer had a policy of huge bonuses for published zero day exploits. I dunno whether this happens or not, just sayin' I'd be very pleased to get such a bonus, and would work quite hard to try to get another

  • Mitigation? (Score:4, Informative)

    by Derek Pomery ( 2028 ) on Tuesday June 15, 2010 @10:43PM (#32586998)

    My understanding is that Firefox disables hcp:// by default:
    network.protocol-handler.external.hcp = false

    And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?

  • Dear Ford Owner (Score:3, Insightful)

    by Rogerborg ( 306625 ) on Wednesday June 16, 2010 @05:47AM (#32588910) Homepage

    I've just found a way of easily opening and starting your Ford using common household tools.

    I'd love to tell you how it's done so that you can take measures to protect yourself, but you know, it would be irresponsible of me to give you that information.

    No, the responsible thing to do is to let Ford know, secretly, and give them as much time as they need to investigate it and issue a recall to fix the problem. If they feel like admitting to it. And if they don't, I'll keep quiet indefinitely, just in case I'm the only person in the world who can figure it out, ever.

    If your Ford gets being stolen in the meantime because someone else figured it out, or already knew, then that's just an acceptable consequence of my responsibility, which is apparently to Ford, the company that created the problem in the first place and profited by selling a defective product, not to you, Ford's customer, the victim.

    Fair enough?

  • by Johnny Mnemonic ( 176043 ) <mdinsmore@@@gmail...com> on Wednesday June 16, 2010 @12:07PM (#32591960) Homepage Journal

    I haven't seen the context of this exploit-discovery-and-release mentioned. Lest we all forget:

    http://news.cnet.com/8301-30684_3-20006509-265.html [cnet.com]

    Google leaks that they're moving away from Windows, cause it's insecure and it's use got them hacked by the Chinese. Microsoft says "Bah! We're more secure than anyone, we rock!". So Google publicly demonstrates evidence to the contrary that proves their point, and makes Microsoft look bizarrely incompetent. Microsoft responds by accusing Google of having the audacity to call their bluff.

    I would really like to know who this kind of doublethink hijinks work on. Doesn't Microsoft know that we form our own opinions based on information that we can get anywhere?

Keep up the good work! But please don't ask me to help.

Working...