Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Researcher Issues How-To On Attacking XP

timothy posted more than 4 years ago | from the now-get-to-the-next-phone-booth dept.

Google 348

theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."

Sorry! There are no comments related to the filter you selected.

I Don't Think Zero-Day Means What You Think (5, Informative)

eldavojohn (898314) | more than 4 years ago | (#32533736)

exploits a zero-day vulnerability

Zero-Day [wikipedia.org] would mean that Microsoft had zero days to fix it or no time at all to patch the system that had the security vulnerability between the time they release the software to the time the bug goes public. By that definition this would be best described as a "five day exploit" or more in fact if they knew about it before Ormandy's notice.

Re:I Don't Think Zero-Day Means What You Think (3, Interesting)

Jurily (900488) | more than 4 years ago | (#32533782)

Thank you so much. I'm sick and tired of every fucking bug labeled as "zero-day". Especially considering the fact that the bug itself may has been around for years.

Re:I Don't Think Zero-Day Means What You Think (5, Funny)

Anonymous Coward | more than 4 years ago | (#32533904)

we all know the bug have been around for years, a lot of people use it as their primary operating system

Re:I Don't Think Zero-Day Means What You Think (1, Troll)

SuperDre (982372) | more than 4 years ago | (#32534246)

That's not true, only a few people use Linux or OS-X as their primary operating system...

Re:I Don't Think Zero-Day Means What You Think (0)

Anonymous Coward | more than 4 years ago | (#32534220)

Wrong. Zero-Day refers to the amount of time system administrators have had to patch their systems against the exploit. This will remain a Zero-Day exploit intil the day Microsoft releases a patch for it, after which aministrators can be expected to have secured their systems.

Re:I Don't Think Zero-Day Means What You Think (3, Insightful)

dieth (951868) | more than 4 years ago | (#32534298)

Wrong again, Zero-day refers to the amount of time that the bug/vulnerability has been disclosed to the public, not patch. It is still possible to secure your system with just the knowledge of how the attack is reaching you.

Re:I Don't Think Zero-Day Means What You Think (1, Interesting)

ircmaxell (1117387) | more than 4 years ago | (#32533846)

I've always understood (I know the "definition", but it seems like a lot of people use mine) a Zero-Day as an attack that requires no action by the victim. So a flaw in Apache that allowed a remote user to execute code with a malformed HTTP request would by very definition be a Zero-Day. I know that's not the "official" definition, but based on what a lot of people call a Zero-Day, it seems that I'm not the only one with that idea...

Re:I Don't Think Zero-Day Means What You Think (0)

Anonymous Coward | more than 4 years ago | (#32533900)

Just because enough people say it, it becomes an unofficial definition. Like "hacker". These kind of definitions are not much use for actual analysis. They are for shit-spreading and sounding scary. You can either contribute to that or you can use something that is actually precise.

Zero days notice (4, Insightful)

RulerOf (975607) | more than 4 years ago | (#32533954)

I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.

If, for example, you heard about this exploit today, and the same exploit was WTFPWNing computers today, then it is, by definition, a "Zero-day exploit."

It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.

Re:Zero days notice (2, Insightful)

bsDaemon (87307) | more than 4 years ago | (#32534084)

I always assumed it to mean that the day the software is released, an exploit is found -- kind of like a zero-day crack to pirate software. Apparently I was wrong, and it means whatever the article author needs it to mean in order to sound as bad and scary as possible like "z0mg! we have zero days before the end of the world!"

Re:Zero days notice (5, Informative)

drinkypoo (153816) | more than 4 years ago | (#32534240)

I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.

No, it's the time between public disclosure of the vulnerability and the time when the exploit is released. When you hear about it or when you see it is quite irrelevant.

It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.

Yes, as demonstrated by your comment. Zero-day cracks are cracks which come out on the release date, and Zero-day exploits are exploits which exist in the wild (whether you have detected them or not) the same day as the disclosure.

Re:I Don't Think Zero-Day Means What You Think (2, Insightful)

richlv (778496) | more than 4 years ago | (#32534018)

i'm sorry, but that's the first time when i hear such a definition, and i'm sorry again, but it's completely silly.
what's the "zero" in there, what's the "day" ?

two definitions that at least make sense -
* vendor had no time to patch it;
* there was no public information beforehand.

these are a bit similar, as you just redefine who had or had not information on the problem.

Re:I Don't Think Zero-Day Means What You Think (0)

Anonymous Coward | more than 4 years ago | (#32534410)

I've been in software security for almost 15 years and I've never heard your definition. FWIW, zero-day means that the vulnerability is being actively exploited in the wild on the day the developers/system owners become aware of it. People have now taken to using the term to mean the first day any vulnerability is released, but that is not how the term was originally used.

Re:I Don't Think Zero-Day Means What You Think (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32533874)

What a pointless remark :-\

Re:I Don't Think Zero-Day Means What You Think (1)

DrgnDancer (137700) | more than 4 years ago | (#32534278)

Now see I always read "Zero Day" as being a vulnerability that either not found until it was exploited in the wild, or released before the vendor had a patch in place. In other words the vendor has "zero days" in which to patch the bug before it is or could potentially be exploited. Strictly speaking this bug would only qualified as "Zero Day" if the guy had released it publicly before or at the same time as he notified Microsoft; but an argument can be made that since there isn't yet a patch, and the vulnerability is in the wild, MS still has "zero days" to react. Regardless, much as I dislike Microsoft this was an asshole thing to do. He knows they release major patches on "Patch Tuesday", at least give them that long to fix it. As one analyst pointed out, he's hurting his company's customers nearly as much as he's hurting Microsoft.

War (2, Insightful)

Thanshin (1188877) | more than 4 years ago | (#32533758)

The classic "selling cheap weapons to the neighbouring country".

You can use it too. Instead of smearing your competitor for a raise, give his secrets to one of his subordinates.

hmm (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32533766)

2nd post?

Negative. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32533770)

He waited five days without even receiving a response from MS. I'd have done the same thing he did.

Re:Negative. (0)

Anonymous Coward | more than 4 years ago | (#32533854)

Citation needed, I read the article and couldn't find that.

Re:Negative. (1, Offtopic)

armanox (826486) | more than 4 years ago | (#32533982)

"Ormandy admitted that he reported the vulnerability to Microsoft only five days ago -- on Saturday, June 5 -- but said he decided to go public because of its severity, and because he believed Microsoft would have otherwise dismissed his analysis."

Re:Negative. (4, Insightful)

SanityInAnarchy (655584) | more than 4 years ago | (#32533984)

Microsoft was informed about this vulnerability on 5-Jun-2010, and they confirmed receipt of my report on the same day.

So they did respond. They just didn't fix it in five days:

Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.

That's what he was complaining about, and I think it's a legitimate complaint.

Re:Negative. (1)

skgrey (1412883) | more than 4 years ago | (#32534164)

Confirming receipt of the report sounds like "yes, we got your email of the report". I believe what we are looking for is if Microsoft provided any information (timeframe, severity, anything), so the point is still open. The fact that this article and every article I've read on it has not said anything about Microsoft giving some info is smoking-gunnish that it didn't happen. Still, until there's a credible source the question is still out there.

Grow up (0, Troll)

Shivetya (243324) | more than 4 years ago | (#32534314)

Sorry, just because your arbitrary deadline has passed does not give you right to aid others in harming others computers.

Even the summary needs help here, I really get the impression of a bunch of immature know it all of which that developer who is one. Damn, if I didn't have to put up with this during with five year olds running around...

I warned you!!!! I warned you I was going to do it!!!! See its all your fault.

Do no evil (1, Insightful)

+Addict-09+ (239664) | more than 4 years ago | (#32533774)

Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

Re:Do no evil (0, Troll)

1s44c (552956) | more than 4 years ago | (#32533818)

Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

That depends on how you look at it. It's not like this is the one and only zero day bug that has ever been found in a Microsoft product. Perhaps a bit of public embarrassment from a competitor will prompt Microsoft to do a few more checks on their code.

In the big scheme windows holes are so common that unless goggle is releasing 20 a day with quick and easy tools to help people use them this makes no difference at all.

Re:Do no evil (0)

Anonymous Coward | more than 4 years ago | (#32533988)

It's not a zero day bug. RTFS!

Re:Do no evil (2)

Midnight's Shadow (1517137) | more than 4 years ago | (#32533866)

Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

I don't know about that. MS could have really used this to their advantage - 'We praise Google in finding and releasing this exploit of our windows XP OS. This is just another example of why everyone should transition to Windows 7. Insert fancy marketing for windows 7'

I'd also argue that anyone still using windows really should upgrade to a more modern OS and Google was just trying to put XP out of its misery. Sometimes you have to do harm to not do evil, like cutting off a leg to save a life.

Re:Do no evil (5, Funny)

iserlohn (49556) | more than 4 years ago | (#32533894)

What?? Given Microsoft's history of fixing their bugs, I would of released it as a 0-day instead of a 5-day! Google's just doing everybody a favor. Looks at all the other companies that are afraid of angering MS. Don't forget that Google's recent security breach is directly because of MS products.

Re:Do no evil (1, Troll)

commodore64_love (1445365) | more than 4 years ago | (#32533916)

Whatever it takes to damage Microsoft is okay with me. I've hated this company since the 80s - not because I randomly like to hate inanimate objects, but because Microsoft's products were 5-10 years behind what other companies like Apple, Atari, and Commodore were doing. MS == crap for a long long time.

And because Microsoft would do anything short of murder to "win" in the marketplace, such as stealing trade secrets, locking-out competitors products, or suing smaller companies in court until they went bankrupt (i.e. MS was patent trolling). It's about time MS received a dose of its own medicine.

Re:Do no evil (5, Insightful)

gad_zuki! (70830) | more than 4 years ago | (#32534100)

>Whatever it takes to damage Microsoft is okay with me.

This doesnt punish MS, it punishes end users and admins. Sadly, this fact doesnt matter to those who are just full of MS hate.

Re:Do no evil (1, Troll)

casings (257363) | more than 4 years ago | (#32534360)

If you didn't realize that windows was an insecure product, you get what you deserve.

The end users and admins punish themselves.

Re:Do no evil (0)

Anonymous Coward | more than 4 years ago | (#32534384)

>Whatever it takes to damage Microsoft is okay with me.

This doesnt punish MS, it punishes end users and admins. Sadly, this fact doesnt matter to those who are just full of MS hate.

I was able to install the hotfix so I was definitely helped and my system is now safer.

Furthermore, in what way do you think would it improve my system's security to now uninstall this hotfix and let Microsoft sit on the issue, possibly for months?

I think you have it all backwards.

Re:Do no evil (4, Insightful)

master_p (608214) | more than 4 years ago | (#32534394)

It only punishes end users and admins in the short term. When these people are fed up with Microsoft, they will turn elsewhere, and then Microsoft will be hurt.

Re:Do no evil (1)

mcgrew (92797) | more than 4 years ago | (#32534292)

I don't expect any corporation to have morals, but I don't like Microsoft because I don't like its software. Well, Excel is ok, but that's only because all the other spreadsheets suck even worse.

What really bugs me about Microsoft is you can't hardly buy a non-Apple computer without getting Windows. How hard would it be for them to give me a choice of OSes? Probably pretty hard; MS has most likely made deals with the hardware manufacturers preventing it. THAT'S the immoral business practice that I hate, because it affects me directly.

Re:Do no evil (2)

yossarianuk (1402187) | more than 4 years ago | (#32534374)

I completely agree, it took the world about 1/2 a decade to catch up after the Amiga died.

Getting my first (very expensive ) Windows PC was the most depressing day of my life.

Now that most technology companies are working on Linux products I sense the computing dark age is coming to an end.

Its not just google, Dell seems to have woken up from the Matrix... (we just need all the rest of them to stop being farmed)
Dell: "Ubuntu is safer than Microsoft® Windows®" [dell.com]

Re:Do no evil (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32533922)

Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

Yeah yeah. Apart from the the guy not actually doing this as a Google employee;

"Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself."

And the fact that Google, Apple and everyone else have got a long way to go before they approach the utter moral bankruptcy required for the likes of the Halloween documents, the derailment of OLPC, the ODF/OOXML fiasco and so on.

Re:Do no evil (1)

decipher_saint (72686) | more than 4 years ago | (#32534006)

If some guy at Google can figure it out, some guy not at Google can figure it out.

All he did was point a finger at the breach in the fort.

Re:Do no evil (1)

imakemusic (1164993) | more than 4 years ago | (#32534154)

True, the hole shouldn't have been there but there is a difference between shout "Hey! Everybody! You can break into the fort here, the wall's broken!" and quietly saying the fort owner "your wall is broken, people could get in through there".

Holy crap, did I just side with Microsoft? I feel dirty.

They did no evil (5, Interesting)

keirre23hu (638913) | more than 4 years ago | (#32534014)

Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.

Re:They did no evil (4, Insightful)

gad_zuki! (70830) | more than 4 years ago | (#32534052)

Im sure his hotfix and one man testing matches MS's extensive testing. Seriously, do you think any company would just release this fix immediately without serious testing?

Re:They did no evil (1)

keirre23hu (638913) | more than 4 years ago | (#32534132)

Not really, but I think his hotfix is a starting point, and testing would/should be at least partially automated. As another poster stated, they could put out an advisory or diable the service or do something more than they have done for the past 5 days.

Re:They did no evil (2, Insightful)

228e2 (934443) | more than 4 years ago | (#32534242)

Hahahahahahaha.

Really? You think MS (or any company near their size) would use submitted code as a starting point? Geez, I understand the dislike for MS, but lets use sound reasoning please.

Oh not the we're to big to fix it defense (1)

keirre23hu (638913) | more than 4 years ago | (#32534332)

Right, they won't use the security researcher who found the bug that their "evolved" process missed... And that's why Microsoft has such a great and well deserved reputation for producing secure products. Internet Explorer, SQL Server, IIS, the Active X framework, every version of Windows OS before 2008/Seven. Firefox has been a terribly insecure product, but they do make timely efforts to fix the bugs when they are discovered. For me, that counts for something. I don't want to be an open source zealot, but how is it that a multi-billion dollar software company cannot even issue an advisory in 5 days, but groups loosely knitted groups of 3rd party funded engineers and volunteers can?

Imagine if that argument were applied elsewhere.

"Yes ma'am we received your 9-11 call about a house fire, but our city government is so large that we'll need to send a team out to verify there is smoke and heat and that a fire truck is warranted before the actual fire truck can be dispatched"

Re:They did no evil (1, Informative)

Anonymous Coward | more than 4 years ago | (#32534268)

Spot on. Here's the problem with the majority of the comments I see now: they didn't even bother to RTFA. Your comment pretty much sums it up.

Note that the workaround (disabling the protocol handler) is preferred, as the hotfix is not sufficient (see comments on the article itself).

Re:They did no evil (0)

Anonymous Coward | more than 4 years ago | (#32534354)

Except the fix did not work and left users still vulnerable.

Did you even read the article before spouting off?

Re:Do no evil (1)

bsDaemon (87307) | more than 4 years ago | (#32534148)

In fact, they're much worse 'cause they don't even pay dividends. They just suck up ticker space.

Re:Do no evil (1)

krou (1027572) | more than 4 years ago | (#32534408)

And why, exactly, is Google at fault here? The actual post on Full Disclosure states the following at the bottom:"Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself." He makes no mention of working for Google, posting this with Google's sanction, nor does he even post it from a Google email address.

The fact is, a guy who posted this vulnerability in a private capacity, and he just happens to work at Google. Just because he works at Google, somehow this means another stage in the "war" between Google and Microsoft? Nonsense. Sounds like journalists are trying to make a scandal out of nothing.

Just turn it off (5, Interesting)

GaryOlson (737642) | more than 4 years ago | (#32533776)

...leverage a flaw in Windows' Help and Support Center...

This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.

Re:Just turn it off (4, Funny)

1s44c (552956) | more than 4 years ago | (#32533828)

...leverage a flaw in Windows' Help and Support Center...

This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.

You should turn off everything you don't need but if you turned off every insecure component of windows you would be left with a machine just running its BIOS.

Re:Just turn it off (0)

Anonymous Coward | more than 4 years ago | (#32533876)

Sure, so why bother with windows?

Good Touch (2, Funny)

luggage66 (1195633) | more than 4 years ago | (#32533780)

Quick, someone make an exploit that installs IE8 or Chrome.

Re:Good Touch (1)

hedwards (940851) | more than 4 years ago | (#32533852)

They already do, it's called the IE 8 install program.

Re:Good Touch (1)

luggage66 (1195633) | more than 4 years ago | (#32533882)

Tell my users this.

Re:Good Touch (1)

TheRaven64 (641858) | more than 4 years ago | (#32534366)

Really, on Slashdot people should be expected to know the difference between an exploit and a trojan.

Microsoft's Official Response (4, Interesting)

eldavojohn (898314) | more than 4 years ago | (#32533788)

They were not happy [technet.com] and said

"Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk. One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.

Re:Microsoft's Official Response (3, Insightful)

hedwards (940851) | more than 4 years ago | (#32533868)

Ah, the security blanket approach. If they can't see me I'm not vulnerable.

Re:Microsoft's Official Response (1)

jank1887 (815982) | more than 4 years ago | (#32534000)

avoid the gaze of the Ravenous Bugblatter Beast of Traal (a mindboggingly stupid animal, it assumes that if you can't see it, it can't see you - daft as a bush, but very ravenous)

funny. the daft but ravenous comment seems totally appropriate here.

Re:Microsoft's Official Response (0)

Anonymous Coward | more than 4 years ago | (#32533892)

>and the actual workaround Google suggested is easily circumvented.

So since they said it was right, they must be perfect. I mean, the ARE Microsoft.

Re:Microsoft's Official Response (0, Troll)

commodore64_love (1445365) | more than 4 years ago | (#32533938)

>>>"...without giving us time to resolve the issue..."

Oh well. It's no different than how you routinely acted in the 80s and 90s Mr. Microsoft. I guess people should "do as we say, not as we act" eh? It's okay for MS to act like an ass, wiping-out competition left and right, but not other companies to copy the MS Warbook. Hypocritical corporation.

Re:Microsoft's Official Response (1)

gad_zuki! (70830) | more than 4 years ago | (#32534082)

Except these moves don't punish MS in the slightest. It punishes end users who are just using their computers and have no say in the policies here.

Not to mention, 5 days certainly is not enough time to do the testing MS needs to do to release a patch. I'd rather just perform a work around (limited rights, removing functionality, etc) than deal with a patch that will cause me further problems.

Re:Microsoft's Official Response (0)

Anonymous Coward | more than 4 years ago | (#32534400)

When Microsoft crushes competition, buys out rival companies just to shut them down, when they keep rewriting their file formats just so that others can't make software compatible with their data, it punishes the end users even more than you could ever imagine. You just don't see the effects right away.

And if you're still using any Microsoft product, you should know by now that this kind of shit is normal. Everybody arounds you keeps saying that Microsoft products are crap yet you keep using them. It's your own damn fault.

Re:Microsoft's Official Response (0)

Anonymous Coward | more than 4 years ago | (#32534010)

"without giving us time to resolve the issue"

The had time to fix it. 5 long days. If MS is not threatened by a public full disclosure, chances are they will never fix their bugs.

Re:Microsoft's Official Response (1)

SanityInAnarchy (655584) | more than 4 years ago | (#32534028)

Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue...

They had five days. Not great, but he made exactly this point -- Microsoft needs to patch these things faster when discovered.

Re:Microsoft's Official Response (1)

rawler (1005089) | more than 4 years ago | (#32534106)

The way I see it, they've had about 9 years to fix it. All the way since XP was released. (unless it was introduced by some service pack).

Software Security is ultimately the responsibility of the creator of the software. Others have no obligation whatsoever, moral or legal, to report in errors.

Non-microsoft employees are NOT Microsoft's security-staff. Or maybe they are.

Irresponsible (2, Insightful)

dmcq (809030) | more than 4 years ago | (#32533792)

If he has only given five days before releasing it into the wile he is recklessly irresponsible. It just shows a person can be intelligent one way and a complete eejit in another. Could he be sued for this by someone who gets infected?

Re:Irresponsible (1)

mp3LM (785954) | more than 4 years ago | (#32533806)

It's probably important to note that it may not have been his decision to release the information to the public.

Re:Irresponsible (1)

somersault (912633) | more than 4 years ago | (#32534026)

FTBD:

Finally, a reminder that this documents contains my own opinions, I do
not speak for or represent anyone but myself.

Re:Irresponsible (5, Insightful)

axl917 (1542205) | more than 4 years ago | (#32533878)

Could he be sued for this by someone who gets infected?

Don't be stupid. It isn't the messenger's fault.

Re:Irresponsible (1)

somersault (912633) | more than 4 years ago | (#32534092)

It kind of is if they publish the exactly exploit code needed before MS have time to figure out a real patch (the patch that this guy sent in is apparently very easily circumvented).

If he hadn't published full details of the exploit then you couldn't blame him.. but as it stands, he's not much better than a malware author.

Re:Irresponsible (0)

Anonymous Coward | more than 4 years ago | (#32534312)

Don't be stupid. It isn't the messenger's fault.

Killing the messenger is traditional. -- Recipient of Bad News

Re:Irresponsible (1)

commodore64_love (1445365) | more than 4 years ago | (#32533966)

How do we know it was 5 days?

This could be one of those infamous bugs that MS has known about (secretly) for two years, but they never bothered to fix. If that's true and the programmer knew the bug had existed for two years, then I consider him a cyber-patriot for whistle-blowing. Maybe now MS will get off its 1200 pound ass and fix it.

Re:Irresponsible (0)

Anonymous Coward | more than 4 years ago | (#32533990)

How do we know it was 5 days?

This could be one of those cyber-infamous bugs that MS has cyber-known about (cyber-secretly) for two years, but they never bothered to cyber-fix. If that's true and the cyber-programmer knew the cyber-bug had existed for two cyber-years, then I cyber-consider him a cyber-patriot for cyber-whistle-blowing. Maybe cyber-now MS will get off its 1200 pound cyber-ass and fix cyber-it.

Fixed that for you

Re:Irresponsible (0)

Anonymous Coward | more than 4 years ago | (#32534076)

as I was reading this story, I thought to myself "I wonder what the stupidest person on Slashdot thinks about all this?" Now I know.

Re:Irresponsible (1)

correnos (1727834) | more than 4 years ago | (#32534112)

How would this guy be responsible for the bug? Did he create it? Did he break into the M$ servers and implant the bug in the source code? If you want to be whiny and lump the blame on someone, find the coder who wrote the code with the bug. The Google employee is only being responsible and notifying the public about a standing security hole that needs to be protected against. Security through obscurity is no security at all.

Re:Irresponsible (1)

Exitar (809068) | more than 4 years ago | (#32534122)

What would have been a good time for him to publish it?
The same day Microsoft will fix it? The day after? The day before?

They didn't fix it in 5 days. What if the fix will happen in one week? In one month?

I'm sure all the (1)

JamesP (688957) | more than 4 years ago | (#32533808)

"securit experts" that try to convince people that IE is no less safe than FF/Chrome are going to be bothered (even though this attack has nothing to do with browser)

5 days would be enough for an advisory.

How long did MS took to solve some bugs again?!

Re:I'm sure all the (1)

biryokumaru (822262) | more than 4 years ago | (#32533862)

Occam's Razor is crap. Occam's electric shaver, OTOH, is more soft on the skin and battery charge lasts a full week!

Hey! Get out of my bathroom!

- Occam

Time to dress up the emperor (0)

Anonymous Coward | more than 4 years ago | (#32533840)

IT is now about fuedism not about technology. Google pushes out its drug of choice, and MS is now having to live with a growing public knowledge that for 20+ years its software is garbage. I just find it funny that Google is the one trying to make Microsoft accountable.

Industry Standard (5, Interesting)

protektor (63514) | more than 4 years ago | (#32533870)

I thought there was a big fuss a few years back about how vendors didn't respond to researchers and how they took forever to fix problems with close sourced software. So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.

Seem like this is just standard timing since vendors have gotten in the habit of ignoring researchers and not spending the time and resources to fix problems that they should have tested for in the beginning and most of the time don't want to bother fixing. Historically companies have not wanted to spend manpower and money required to fix program bugs. They more want to fix them when they get around to having the free time a few months later to fix the bugs. After all bug fixes don't make them any money. If I remember correctly there was a quote from Microsoft saying that exact thing. "People don't want bug fixes, they want new features and bells and whistles instead." So if Microsoft really feels that way then this shouldn't bother them at all, since people don't care about having bugs fixed.

The quote was from German weekly magazine FOCUS (nr.43, October 23,1995, pages 206-212). Bill Gates was being interviewed when he made statements to that effect.

If you treat program bugs as a PR issue, then don't be surprised when people use PR against you for bugs you don't want to be bothered to fixed, in a timely manner historically.

Thanks Google (2, Insightful)

AmiMoJo (196126) | more than 4 years ago | (#32533884)

Now I can protect myself against this exploit. 5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on. Monthly update cycles are too slow.

Re:Thanks Google (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32533960)

5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on.

You live in a dream world. Yes, 5 days is fine if you have a non-os product that isn't part of an ecosystem with millions of applications running on it. For example to patch something like a text editor - 5 days is probably enough. But a responsible company with millions of installs (Microsoft, Apple) isn't going to rush something out that would break more than it fixes. That would be stupid.

Re:Thanks Google (1)

Ash-Fox (726320) | more than 4 years ago | (#32534072)

But a responsible company with millions of installs (Microsoft, Apple) isn't going to rush something out that would break more than it fixes.

Both Apple and Microsoft have both failed to release some patches that don't break more than it fixes this year. No idea if it was rushed though.

Re:Thanks Google (4, Insightful)

Xest (935314) | more than 4 years ago | (#32533968)

That depends on the company.

Sure some companies don't give a fuck about incompatability caused by updates and that sort of thing, however MS very much does.

Further, as they have such a large share of the desktop and server market that depends on working it would be irresponsible of them to throw out a patch in a mere 5 days that can't have been fully tested with countless configurations and ended up causing more harm to customers machines than if they'd just not bothered to patch at all.

You can't reasonably build and test a patch that has minimal effect on your customer base in 5 days when your customer base is as large and varied as Microsoft's.

Re:Thanks Google (3, Insightful)

tajribah (523654) | more than 4 years ago | (#32534038)

It may seem that so, but the reality seems to disagree. Most Linux distributions release security updates within a day or two after the vulnerability is announced and while I maintain dozens of Linux machines, I had witnessed a security update breaking something at most once. On the other hand, I have seen problems caused by Windows updates countless times.

Re:Thanks Google (1)

csrjjsmp (819838) | more than 4 years ago | (#32534350)

Hence his qualification "as large and as varied as Microsoft's."

Re:Thanks Google (0)

Anonymous Coward | more than 4 years ago | (#32534102)

Does this make them too big to fail? Are we as the people of the US going to have to bail them out too?

Re:Thanks Google (1)

ifrag (984323) | more than 4 years ago | (#32534068)

5 days is plenty of time to issue a patch.

Perhaps for some that is possible, although clearly Microsoft has no process in place to do something in that amount of time. With analysis, design, implementation, unit testing, code reviews, and whatever else their software cycle involves, I don't think they have a chance at having anything at all releasable in 5 days. So this expectation is a known impossibility, and likely known to some degree by those responsible for releasing the information.

And I don't fault them for actually following their own process and not rushing things out. Sure, they might be able to throw together some half-assed fix in a fraction of the time, but what will the consequences be? Instability? Data loss? An entirely new security hole as bad as the original? It's entirely possible the damage done through hasty work could even be worse than the exploit itself. Just "closing the hole" might mean leaving the OS inoperable (in broad generic terms, not whatever this story is referencing). Sure, maybe their process could be stream-lined, and improved upon, but 5 days can easily be chewed through especially in "big" software projects.

Grandstanding (1)

1 inch punch (319701) | more than 4 years ago | (#32533886)

>>Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself.
Didn't see where the Google association was, but judged in isolation it appears to be nothing more than grandstanding since 5 days doesn't seem to be reasonably enough time to respond.

Raging Bull (1)

PopeRatzo (965947) | more than 4 years ago | (#32533888)

This story would be funny if not for the fact that the Google engineer may have put a lot of computer users, and probably its own customers, at risk in this little game of one-upmanship.

It reminds me of a quote from Robert DeNiro playing Jake LaMotta in the great film Raging Bull by Scorsese. He's sitting at the table of some mobsters who are needling him about the impressiveness of another fighter: "Maybe I'll put da two of ya in the ring together and you can fuck each other".

When two big companies fight it out, one would hope that the consumer would be the beneficiary of their competition, not collateral damage.

Re:Raging Bull (2, Insightful)

tajribah (523654) | more than 4 years ago | (#32534168)

Sorry, but it seems that you are a little bit confused about the real cause. First of all, the blame lies on MS for creating the bug. Secondly, a responsible vendor should fix a security hole as quickly as possible, because security bugs are rarely discovered by a single person only. It is highly probable that the same bug is already being expoited by the black hat hackers in the wild. Five days is more than enough for the vast majority of security problems and delaying the fix is completely irresponsible. IMHO, MS should stop complaining and fix their processes instead.

In addition to that, it seems that MS has never replied to the researcher. Responsible vendors do that and they even cooperate with the researchers on the possible fixes. Most researchers treat such vendors very respectfully, but they hardly have any understanding for vendors who expect that they can delay security fixes for months and ignore the input from the security community.

Re:Raging Bull (1)

HikingStick (878216) | more than 4 years ago | (#32534358)

It's not really a new vulnerability--it's been around for almost a decade.

Is this really 'do no harm'? (1)

guysmilee (720583) | more than 4 years ago | (#32533958)

Is this really 'do no harm'?

Re:Is this really 'do no harm'? (1)

joaosantos (1519241) | more than 4 years ago | (#32534136)

Yes it is, what's doing harm it's not warning the users when some security flaw is discovered.

Re:Is this really 'do no harm'? (0)

Anonymous Coward | more than 4 years ago | (#32534190)

Is this really 'do no harm'?

I think you meant 'don't be a jerk'.

Jeopardy (1)

Slash.Poop (1088395) | more than 4 years ago | (#32533972)

I will take "Don't be Evil" for $600 Alex.

and the response will be (1)

Spiked_Three (626260) | more than 4 years ago | (#32534024)

I can't wait for Microsoft to release an exploit for gmail - surely no one will be bothered by an exploit that makes everyone's current and past email available?

Another meaning for "Zero Day" (1)

Ancient_Hacker (751168) | more than 4 years ago | (#32534048)

Dang, and here I'd al;ways assumed "Zero Day" meant the bug had been there since the day the software was released. Like the bug in the .BMP rasterizer, revealed in 2004, that had been there since Windows 3.0

Who manages the canonical definition of "Zero Day" ?

Missing from the summary (3, Insightful)

Photo_Nut (676334) | more than 4 years ago | (#32534062)

Missing from the summary is that not only are they documenting the exploit in detail, but they are also providing a hack to patch the hole.

The point of releasing this "Five day exploit" which has been vulnerable for 9 years now (XP was released in 2001) is to point out that Microsoft needs to do a better job responding to security threats and that the closed source model is less robust to these kinds of threats. Had this been open source, they could have simply issued a patch to a mailing list to close the hole.

No compiled software is safe from someone with the means and the motivation to modify it. Having the source code does not make it any easier or harder to exploit, but it does make it easier to patch exploits and allows for more people to examine the code for exploits.

I applaud his actions (0, Troll)

hesaigo999ca (786966) | more than 4 years ago | (#32534208)

Because he works for google and they will protect him, M$ can't use their massive amounts of money to sway him from talking or slap him with lawsuits....therefor the only thing to do is actually FIX THE BUG!....imagine we live in a world where when we tell a company their product is flawed and even offer a way to reproduce this bug, that they say thank you very much, and fix their product...right away....well I applaud his effort, and think that more people (from google) should all come out with these types of bugs to show that not only are we going to let everybody know about your bug and how to use it, but after giving you a small amount of time to fix it....so you might as well just swallow that pill, put on your coding caps and fix those bugs....

So many exploits come from M$ and have been around for so long that it is nice to see someone (other company) stand up for us and help bring about a safer web/internet for us to play in...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?