Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Miscreants Exploit Google-Outed Windows XP Zero-Day

kdawson posted more than 4 years ago | from the time-to-fix dept.

Security 497

CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"

cancel ×

497 comments

Dear Microsoft (5, Insightful)

QuantumG (50515) | more than 4 years ago | (#32586328)

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

Re:Dear Microsoft (5, Insightful)

Entrope (68843) | more than 4 years ago | (#32586380)

Microsoft's negligent, lazy approach to closing security holes bit Google hard. Google is now letting Microsoft feel some of the pain. I hope that responsible journalists won't judge full disclosure solely by vendor-dictated rules -- when a software vendor has a history of problems, the spotlight should be on them, not on the people who report them.

Re:Dear Microsoft (5, Informative)

hedwards (940851) | more than 4 years ago | (#32586428)

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

Re:Dear Microsoft (0)

Michael Kristopeit (1751814) | more than 4 years ago | (#32586572)

... so he posted the flaw online.

i'm pleased with him that he did.

Bullshit (4, Insightful)

Anonymous Coward | more than 4 years ago | (#32586800)

Bullshit. If he was willing to commit to 60 days before disclosure, he could have told Microsoft... OK... The clock is running. I am going to publically disclose this vulnerability on day 61, not day 5.

Re:Bullshit (4, Insightful)

poetmatt (793785) | more than 4 years ago | (#32586892)

its still not a zero day exploit, and if MS felt it was critical they could have devoted teams to take care of it. MS of all companies certainly doesn't have an absence of programming talent.

So far, they sure are silent, aren't they.

Re:Bullshit (5, Insightful)

Anpheus (908711) | more than 4 years ago | (#32586964)

Windows XP is released in dozens of languages with support contracts for all of them, and has two supported service packs, and a third 64-bit edition based off Windows Server 2003.

Each of those has to be regression tested and the fix needs to be guaranteed to not break anything for all of those customers with support contracts.

Even Red Hat won't release a patch in 5 days without regression testing all the affected builds. Not only that, but he decided that during the weekend before patch Tuesday.

No excuse for what this guy did. It was just spiteful, and he then went on to release a hotfix which didn't actually fix the bug. Way to go.

Re:Bullshit (3, Informative)

poetmatt (793785) | more than 4 years ago | (#32587046)

yes, lets blame the guy who finds the exploit. clearly your efforts must be focused the right way. Instead of that we still don't have a patch. Patch tuesday stuff is prepared in advance, so it's not even remotely an excuse.

Re:Dear Microsoft (3, Insightful)

williamhb (758070) | more than 4 years ago | (#32586956)

If you read the article, the Google security engineer tried for 5 days to negotiate a fixed time table for it to be fixed within. I think it was something like 60 days. MS apparently wasn't too keen on doing it and so he posted the flaw online.

If so, that is pretty damning of Ormandy -- that he thought 60 days was an appropriate timeframe for a fix, and even thinking it was reasonable for a fix to take that long decided to publicise it after only 5 days. Saying "I think 60 days is reasonable, so I'm going to publish in 60 days" is perhaps defensible; saying "I think 60 days is reasonable, but since you won't sign on the dotted line I'm publishing it 55 days earlier" sounds irresponsible.

Re:Dear Microsoft (5, Interesting)

hedwards (940851) | more than 4 years ago | (#32586396)

That's the thing MS cries and whines whenever they're outed for being insecure, but when they aren't it seems to take an interminable period of time for them to actually patch the bug. Now, were they to be taking it super seriously so as not to introduce a new flaw that would be understandable. The problem though is that they haven't learned anything from these incidents. They still expect to be able to hold onto fixes until patch Tuesday and hope that nobody notices till then.

Re:Dear Microsoft (1)

LurkerXXX (667952) | more than 4 years ago | (#32586456)

I hope you realize Patch Tuesday wasn't Microsoft's idea. Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.

Re:Dear Microsoft (5, Insightful)

hedwards (940851) | more than 4 years ago | (#32586482)

Whether it's their idea or not, it's a horrible idea. Patches should be released as soon as they're finish, as in finished and received reasonable review. Holding back patches for known flaws is ultimately irresponsible behavior. If a corporation doesn't want to do so constantly, then so be it, give them a tool to do it in that fashion. But as is it's terribly irresponsible.

Given the prevalence of bots in corporate networks, perhaps they shouldn't be given that kind of pull over the security of everybody else.

Re:Dear Microsoft (1)

powerspike (729889) | more than 4 years ago | (#32586590)

Whether it's their idea or not, it's a horrible idea

But at the end of the day, if the customers ask for it, you give it to them. I have worked in corp land, and honestly i can fully understand it, having to do full testing cycles to ensure it won't impact on current workflows, take workstations offline or softwares used by the staff. Depending on the amount of software / image types you have, this can take 1-2 weeks, having to start a testing cycle everyday increases the man hours needed to insane amounts. In the end, when a cycle like that patches that aren't considered highly critical are ignored, and that just makes the problems even worse in the long run.

Re:Dear Microsoft (3, Insightful)

ArbitraryDescriptor (1257752) | more than 4 years ago | (#32586680)

Whether it's their idea or not, it's a horrible idea

But at the end of the day, if the customers ask for it, you give it to them.

But like he said, just give them a tool that ques up the patches. Allow them to set an update policy that holds off until X day, or bi-weekly, etc. Meanwhile, push patches to the home users as they come. They don't have an IT department to inform and protect them, holding back grandma's critical updates likely does more harm than good.

Re:Dear Microsoft (1)

tsm_sf (545316) | more than 4 years ago | (#32586692)

What's the difference between waiting a week in-house and waiting a week for Microsoft?

Re:Dear Microsoft (3, Informative)

Anonymous Coward | more than 4 years ago | (#32586746)

Generally, the release of a patch causes the creation of an exploit. Non-publicly-disclosed security holes become disclosed to the people who matter the minute the patch is released. They can disassemble and analyze the patch apart and write an exploit in a few days. So if a company queues up Microsoft's patches and installs them once a month, they're continuously vulnerable to up to month worth of public security holes.

Re:Dear Microsoft (5, Insightful)

cbiltcliffe (186293) | more than 4 years ago | (#32586928)

But that's their choice.
If everybody else wants to be secure, they can be, and to hell with the whiney "we can't do this more than once a month, because we're incompetent" corporations. Those corporations can queue updates themselves, if they want. Everything released in the last month gets tested.

Everybody else should have the option of installing the updates as soon as they're finished.

But, as usual, the security-idiot blowhards get to dictate policy for the rest of the world.

Re:Dear Microsoft (0, Flamebait)

DavidRawling (864446) | more than 4 years ago | (#32587050)

And may I ask, how many people does your multi-billion dollar corporation have sitting around to run full regression tests on the 400 applications you run in house? And how long do regression tests take (simply put, sometimes it's more than a day).

So 300 people in the fictitious org are continually testing and retesting the same apps, day in and day out (because even an automated test tool takes time to set up, monitor and interpret, assuming it's even AVAILABLE for Application X). And some of them don't even finish a test cycle before there is a new patch and everyone starts over again.

In the worst case scenario, the organisation can never patch up to date.

On the flip side, what if a bad patch is released (e.g. one that causes a normal system to blue-screen)? MS has 100 million home users who auto install patches; so now 10M or more are broken. Alternatively, as currently, the early adopters test before patch Tuesday and by the day of release, there's at least SOME confidence in the patches.

Actually I've got an idea. What Linux or BSD distro are you running? Do you update sources to the bleeding edge every night and rebuild the system from sources? Do you just assume everything will work? If you do, you already know stuff breaks. If you don't, STFU and stop blaming the cautious among us.

Re:Dear Microsoft (1)

james.mcarthur (154849) | more than 4 years ago | (#32587108)

Do you update sources to the bleeding edge every night and rebuild the system from sources?

Of course I do, I run Gentoo unstable.

Re:Dear Microsoft (3, Interesting)

b4dc0d3r (1268512) | more than 4 years ago | (#32586960)

I can tell you've been in corp land.

1) You used "at the end of the day." People who say that should be shot, and you took the time to type it. I copy/pasted.
2) You want things that aren't predictable to be predictable. Just put whatever's new in the current testing cycle and go.
3) I'm pretty sure "insane amounts" is not a very good estimate, I'd be interested in some real numbers. Especially if you consider the "put whatever's new in the current testing cycle and go" part.
4) "Makes problems worse in the long run" is also most likely hyperbole. If your policy is to test what you can, when you can, then I don't see how Microsoft's schedule impacts you at all. You're already backlogged. Does it matter whether you're testing 3 patches or 20? I mean, you're not going to fall behind Microsoft's release schedule, so you're not going to be falling behind, so what does it matter whether the patch is released on Thursday or Tuesday - you can sit on the Thursday patches until next Tuesday if you want, only now the delay is on your side instead of Microsoft.

So overall, you would rather Microsoft to hold things up on their end. When a virus outbreak happens you can say "the vendor hasn't released the patch" or "we didn't complete testing of the patch". That absolves you of responsibility. If Microsoft releases as fixes are finished, you have to fit an unscheduled release pattern into a rigidly defined cycle, and are at risk. Instead of worrying about your clients and users, you are worried about liability.

I say give me the patches as soon as you have them, I'll test and release them internally when I can. Most of the time that's going to be faster, occasionally something might be delayed for whatever reason.

And finally, thanks for proving that business is Microsoft's customer, not end users. It doesn't matter how at-risk someone at home is as long as business is happy, right?

Re:Dear Microsoft (1)

dragonsomnolent (978815) | more than 4 years ago | (#32586598)

Actually, MS has a nice thing called Microsoft Supplimental Update Services (basically allowed admins to set up a server to act as a local repository for all things MS Patch related). Having set up a few in my time, it was really handy for testing on small groups (I actually had set it up to do initial pushes to techs and sys admins first, then IT department, and wouldn't authorize patches for everyone else until I was satisfied that the patches wouldn't bork everything). It was also nice since you could download all the patches to a local server and not eat up your bandwidth when everyone came into work and powered thier computers on (we had updates set to run overnight, but since nobody ever bothered doing that, our bandwidth would get all eaten up by machines powering up and fetching updates). Anyway, I digress, simple fact is that the program exists, and is free even.

Re:Dear Microsoft (1)

totally bogus dude (1040246) | more than 4 years ago | (#32586606)

Well they do have a tool to allow corporations to decide when to push patches - WSUS. And any organisation large or savvy enough to be testing patches before deploying them to workstations is going to be using it.

I think the reason for the Patch Tuesday release is to avoid disclosing the vulnerability to all and sundry. Otherwise, if the company doesn't want /to cannot test and deploy patches whenever they get released, there's going to be a period of time during which they have a vulnerability which is not only known, but attackers have the fix for it and can determine exactly what was changed to close it, thus making it very easy to generate an exploit for it.

Microsoft do occasionally release out-of-cycle patches for severe issues that are being actively exploited, so it's not as if they stick rigidly to the cycle even when it's clearly doing more harm than good.

Re:Dear Microsoft (1)

LurkerXXX (667952) | more than 4 years ago | (#32586638)

I think you are missing the reasoning. They already have a tool for it. WSUS server. It works great and they can roll out whatever patches they want, when ever they want easily.

A big corp may have thousands of in-house apps, or specialty apps. They need to test those against any new patches MS rolls out so the new patch doesn't break critical things and cause them mega dollars in downtime. If MS releases a patch Monday they start up their testing scheme, which may take a few weeks to run if they have thousands of apps. If MS releases another patch on Thursday (my Ubuntu boxes have patches constantly released, so it's not unreasonable), they have to start the whole cycle again, or have a second line of testing machines with another testing team running them. If MS releases patches every few days for their OS and apps , they'd need to have a dozen or more teams of testers and equipment which is a ton of money.

And they can't exactly just hold off on testing the patches until the first cycle is done. As soon as MS releases the patch, the bad guys immediately begin reverse engineering it to find out what it was they fixed. Then they make an exploit to take advantage of it and start hitting the net with it. Holding testing after the patches are released exposes them hugely to those security holes.

Re:Dear Microsoft (1)

micheas (231635) | more than 4 years ago | (#32586932)

Or they could automate their testing a little bit more and get a 48 hour turnaround or so.

They could also re-evaluate the ROI of using Microsoft based products, and budget the proper amount for QA.

Re:Dear Microsoft (1)

Xacid (560407) | more than 4 years ago | (#32587038)

"Holding back patches for known flaws is ultimately irresponsible behavior."

Wait...did you just say that?

Re:Dear Microsoft (2, Interesting)

c0lo (1497653) | more than 4 years ago | (#32586784)

Their big corporate clients asked/insisted for it. MS released patches (sometimes one day after the other) for decades until they the big corps pressured them into a monthly cycle to make the corps in house testing easier.

Yes, it's the customers' fault that even the MS patches can be buggy, isn't it? Also, customers are also to blame because applying a security patch requires a reboot.

Re:Dear Microsoft (4, Informative)

pyrbrand (939860) | more than 4 years ago | (#32586586)

You mean like the one mentioned in the article? 'The next day, it [Microsoft] posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."'

As far as pushing this to users automatically, people get angry when you break shit without asking them.

Re:Dear Microsoft (1)

QuantumG (50515) | more than 4 years ago | (#32586634)

huh? it's a security flaw that is being exploited in the wild.. pushing out hotfixes for stuff like that is what Windows Update is for.

What's the rush? (1)

symbolset (646467) | more than 4 years ago | (#32586938)

It's not like there aren't thousands of security flaws being exploited in the wild. What's one more, against the convenience of orderly patching?

Re:What's the rush? (1)

QuantumG (50515) | more than 4 years ago | (#32587022)

That's the *reason* why there's so many flaws in the wild being exploited.. because Microsoft is completely uninterested in stopping it.

Re:Dear Microsoft (0, Troll)

wangbangersanonymous (1830288) | more than 4 years ago | (#32586674)

basically, what you wanted to say is, "I'm a fat whiny bitch." Correct?

holy shit (1)

iwannasexwithyourmom (1804754) | more than 4 years ago | (#32586690)

you love the cock!

Re:Dear Microsoft (1)

love2putmypenisthere (1804486) | more than 4 years ago | (#32586700)

goddamn. you sir, are a total doosh.

Re:Dear Microsoft (1)

upyourshomo (1803732) | more than 4 years ago | (#32586738)

Clearly, you are so much more intelligent than EVERYONE that works at Microsoft. I mean, gosh, if only they would hire someone like you, I'm thinking all their problems would be solved. Maybe you should apply and include this brilliant idea in your resume. Surely no one else has thought of this.

Re:Dear Microsoft (1, Informative)

Anonymous Coward | more than 4 years ago | (#32586752)

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Then you can work on a fix to the problem for as long as you need. Don't turn the hlp resource locator back on until you've fixed the problem.

All your pathetic security flaws should be handled this way. We've been saying this shit for *decades*.

you mean like here:

http://support.microsoft.com/kb/2219475

Re:Dear Microsoft (2, Insightful)

westlake (615356) | more than 4 years ago | (#32586756)

Release a hotfix to disable the hlp resource locator.. as you should have done as soon as you got the bug report.

Easy to say.

But Win XP has a global market share of 63%. Something like 500 million users - at all skill levels.

What happens to them when you disable part of the help system?

Re:Dear Microsoft (0)

Anonymous Coward | more than 4 years ago | (#32586882)

We sit back and enjoy the hilarity that ensues.

Re:Dear Microsoft (1)

oiron (697563) | more than 4 years ago | (#32586910)

Considering the number of times we have to say RTFM to people, not much apparently...

Re:Dear Microsoft (1)

QuantumG (50515) | more than 4 years ago | (#32586946)

Huh? You don't need to be able to type hcp:// into your browser to get at help files.

Miscreants (0)

davebarnes (158106) | more than 4 years ago | (#32586352)

Hooligans
Juvies

Re:Miscreants (0)

Anonymous Coward | more than 4 years ago | (#32586484)

Hooligans
Juvies

Microsoft
FTFY

Nice quote. (5, Funny)

ArbitraryDescriptor (1257752) | more than 4 years ago | (#32586358)

Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software.

Ballmer should be able to spin that into a win: "To be safe, all XP users are advised to avoid open source software stuff. It has viruses."

Re:Nice quote. (1)

hedwards (940851) | more than 4 years ago | (#32586436)

He's right about that. If they do that then they'll never get onto that nasty virus infested interweb I keep hearing about. Seeing as most OSes have relied upon the open source TCP/IP stack from BSD and a significant portion of websites are served via the likes of Apache and similar open source programs.

Re:Nice quote. (1)

WarJolt (990309) | more than 4 years ago | (#32586832)

Winsock is not open source... Like DOS, Microsoft "Owns" it.

Actually there were several TCP/IP vendors for windows, but they wanted BSD style API. They couldn't fork(), so they created winsock.

Re:Nice quote. (1)

Onymous Coward (97719) | more than 4 years ago | (#32587074)

I thought there were a variety of Winsock implementations, each independently owned. And as I (cursorily) read it, Winsock the standard was not owned by MS.

The bad guys thank you Tavis. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32586374)

Tavis Ormandy is an ass. 5 days isn't a much time to wait before releasing this crap on the rest of us.

Re:The bad guys thank you Tavis. (0, Funny)

Anonymous Coward | more than 4 years ago | (#32586406)

5 days isn't a much time to wait before releasing this crap on the rest of us.

Speak for yourself, Windows user.

Re:The bad guys thank you Tavis. (2, Interesting)

QuantumG (50515) | more than 4 years ago | (#32586414)

The bad guys have been using the flaw for years.. it's just the bottom feeders who are allowed by the cartel to have a go now.

5 days is more than enough time for Microsoft to release a hotfix and disable the vulnerable code.

Re:The bad guys thank you Tavis. (4, Informative)

hedwards (940851) | more than 4 years ago | (#32586504)

Actually, he tried to give them 60 days, but when it became obvious after 5 that they weren't taking it seriously, he released the exploit. I don't think anybody really believes that he'd report it then release it in that kind of a time span if there wasn't more going on than just that. 60 days is more than enough time for MS to release a proper fix, but the reality is that MS does sit on bug fixes because they can't or won't spend the time to take it seriously.

Re:The bad guys thank you Tavis. (0)

Anonymous Coward | more than 4 years ago | (#32586550)

If you read the article, MS promised to give a timetable before the end of the week (which, as it happens, is five business days from time of reporting, at latest). Tavis instead gave them two and a half business days. This in contravention to Google's clearly-stated policies.

Re:The bad guys thank you Tavis. (4, Insightful)

sohp (22984) | more than 4 years ago | (#32586560)

Cluley is just a wanker who is crying because his own company didn't find the flaw first. And MS deserves what it gets for its obfuscating approach to fixing flaws. Full disclosure is the only truly ethical approach to take to protect the consumer; anything else is screwing over users while the proprietary software vendors focus on profit and shifting the true costs of insecure software to everyone else.

Re:The bad guys thank you Tavis. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32586716)

Just a heads up! Your post is self contradictory.

"Full disclosure is the only truly ethical approach to take to protect the consumer," I hear you say. It would seem that full disclosure, in this case, did *not* protect the consumer.

Microsoft may deserve whatever you think it does. The ones most affected are the users, however. And despite how much I hate the average person, they *don't* deserve whatever you think Microsoft does.

There are positives and negatives for full disclosure and non-disclosure. As with anything in life, I like to think that extremes of anything are a bad way to go about things.

Unbelieviable (3, Funny)

Jean-Luc Picard (1525351) | more than 4 years ago | (#32586400)

A security flaw being exploited, via the Internet no less ! I am shocked and outraged ! /s

This is classic Tavis. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32586402)

He's the poster child for irresponsible disclosure. For Open Source bugs, he likes to hand them to Brad Spengler and blame vendor-sec for the leaks.

Re:This is classic Tavis. (3, Insightful)

Sir_Lewk (967686) | more than 4 years ago | (#32586492)

The only meaningful definition of "responsible disclosure" is "full disclosure". Anything else is an irresponsible stall tactic that hurts consumers even more.

Re:This is classic Tavis. (2, Interesting)

KingMotley (944240) | more than 4 years ago | (#32586890)

I do believe this proves otherwise. What was a previously unknown bug, not being exploited has now turned into machines getting exploited, and it took what? Less than a day? Full disclosure is irresponsible.

Re:This is classic Tavis. (4, Insightful)

Sir_Lewk (967686) | more than 4 years ago | (#32587028)

You are assuming this exploit was not already being used before it was disclosed. I do not believe the summary indicates that, and it would be very hard to actually prove this exploit was never used before it was disclosed.

Secondly, your logic only works if you assume the first person to find the bug/exploit is always an honest person who is interested in disclosure. This is obviously a very foolish assumption, the only safe assumption is to assume that you are not the first to find it, and the only way to minimalize damage is to fix it as soon as possible. Full disclosure ensures that it is fixed as soon as possible.

Microsoft was blowing off Tavis Ormandy. Tavis Ormandy then disclosed it to the public. Now Microsoft is forced to fix it. Score one for full disclosure.

Let me get this straight... (3, Funny)

pem (1013437) | more than 4 years ago | (#32586422)

Google is supposed to learn morals from Microsoft and its toadies?

5 days spent trying to get a fix within 60 days (3, Informative)

msbhvn (1162657) | more than 4 years ago | (#32586432)

According to this tweet: http://twitter.com/taviso/status/16005411316 [twitter.com] Those 5 days were spent trying to negotiate a fix within 60 days. So much for the 'he only gave them 5 days!' arguments.

Re:5 days spent trying to get a fix within 60 days (2, Interesting)

QuantumG (50515) | more than 4 years ago | (#32586450)

Yeah, he's not nearly as mean as I would be. I would demand actual action within that 5 days.. including pushing out a patch to disable the vulnerable code.

Re:5 days spent trying to get a fix within 60 days (0)

Anonymous Coward | more than 4 years ago | (#32586478)

Gee, thanks for letting us know you read the article.

In a message on Twitter last week, Ormandy said that he released the information because Microsoft would not commit to producing a patch within 60 days. "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days," Ormandy said on Saturday.

Re:5 days spent trying to get a fix within 60 days (4, Interesting)

shird (566377) | more than 4 years ago | (#32586552)

I had a similar experience reporting this advisory years ago about this same hcp protocol: http://seclists.org/bugtraq/2002/Aug/225 [seclists.org]

From the text: "Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections."

For some reason they only put it into a service pack and didn't want to release a hot-fix. After people got wind of what happened they back dated a hot-fix for it, as described here: http://technet.microsoft.com/library/cc750540.aspx [microsoft.com]

Re:5 days spent trying to get a fix within 60 days (1)

Deathlizard (115856) | more than 4 years ago | (#32586718)

Then give MS an ultimatum that you'll release the exploit in 60 days if they ignore it. It gives you the same result you were looking for and reduces the chance of a wild exploit.

Giving them 5 days to set a priority on an exploit when they have to deal with hundreds, if not thousands of exploit reports per patch cycle, then releasing exploit code because you didn't like the answer they gave you is not helping your case, Microsoft, or the internet for that matter.

JUNE 15th... (4, Funny)

mbeckman (645148) | more than 4 years ago | (#32586442)

A day that will live in Ormandy.

Microsoft: are you pleased with yourself? (3, Insightful)

mrsam (12205) | more than 4 years ago | (#32586448)

This is a question that should really be asked of Microsoft

Microsoft, are you really pleased with yourself, for leveraging your monopoly power to foist upon the public a rube-goldbergian monster of an operating system. An overengineered contraption that is completely beyond all hope. Tavis Ormandy did not create the whopper of a hole. You did. It's your bug, not his.

He gave Microsoft five days to fix the bug. I think that's plenty. We are not talking about some rinky-dinky Open Sauce project, run by volunteers in their spare time. We're talking about one of the world's largest corporations, with an army of (presumably) expert software developers in their employ, pretty much in all timezones in the world. Before you bitch and moan about not having enough time, why don't you explain exactly what you did after receiving his bug report?

If you did not immediately assign sufficient resources to isolate and identify the underlying bug, and did not assign developers to work 24 a day (in shifts, of course, around the world, in according with their timezones' ordinary business hours), then why not?

Re:Microsoft: are you pleased with yourself? (3, Interesting)

QuantumG (50515) | more than 4 years ago | (#32586526)

It's not just Microsoft... the point I think you're trying to make is that one shouldn't be able to force a browser to open a help file and execute arbitrary stuff.. well, can't disagree with you, but shit happens. It's exploits like this that have made the point, over and over again, that there is nothing on your computer that is not "online" when you are online. You can't say "oh, that application isn't connected to the network, it doesn't need to be secure". Everything needs to be written with the highest level of security in mind.

Re:Microsoft: are you pleased with yourself? (5, Informative)

Todd Knarr (15451) | more than 4 years ago | (#32586578)

Actually, he didn't give Microsoft 5 days to fix it. He gave them 5 days to commit to an actual timeline for fixing it (IMO the 60 days he asked for is, if anything, on the generous side). They didn't just refuse to fix it, they refused to even commit to a timeline for fixing it. But Microsoft isn't mentioning that part of it.

The elephant in the room (4, Funny)

Ironchew (1069966) | more than 4 years ago | (#32586474)

Graham Cluley...declined to identify the site, saying only that it was dedicated to open source software.

Begging the question: was it Slashdot?
[/humor]

Re:The elephant in the room (0)

Anonymous Coward | more than 4 years ago | (#32586490)

Or even better, was it code.google.com?

Re:The elephant in the room (1, Informative)

Anonymous Coward | more than 4 years ago | (#32587006)

Begging the question

Raising the question

hcp protocol (4, Interesting)

shird (566377) | more than 4 years ago | (#32586488)

I'm surprised this has taken as long as it has. I wrote an advisory many years ago about this handler (he references it in his advisory).

I described that it is essentially a way to run elevated script (back then there wasn't even a prompt). All that was required was to find a CSS bug and you have full control. There was heaps of code there could have been a bug in, I didn't actually look through everything. I just found a small CSS bug and left it at that. MS obviously found a lot more as their patch changed plenty of code. Had he dug through the code back when I wrote the initial advisory he wouldn't have even needed the loophole to avoid the prompt.

Adding the prompt is a good move I guess (when it works), but I can't imagine too many users paying any attention to it. The idea that you can arbitrarily open a higher elevated browser that can perform any system operation with user passed parameters seems broken by design rather than just a bug.

Yeah... (3, Insightful)

Greyfox (87712) | more than 4 years ago | (#32586522)

Blame Google for your shitty code. If you can go on hiding your head in the sand, it really doesn't matter how much damage is being done by the vulnerabilities you don't know about.

NOT zero day attack. (5, Insightful)

slashkitty (21637) | more than 4 years ago | (#32586534)

This is a 5 day attack. MS had 5 days warning... and maybe a few more before others were exploiting it.

Zero Day attacks are when you have NO warning, and they are in the wild before you even know about them.

Re:NOT zero day attack. (1)

Moddington (1721244) | more than 4 years ago | (#32586686)

Not to mention he released the vulnerability last Thursday, and we're only hearing about an exploit now. I'd really like to know what definition of "Zero-day attack" they're using, because I certainly can't reason out what it is.

Re:NOT zero day attack. (1)

Barny (103770) | more than 4 years ago | (#32586850)

Zero-day as in how many days it has been since a security patch for the flaw, until the flaw is patched, its considered "Zero-day".

Ormandy did excercise responsible disclosure (5, Insightful)

Todd Knarr (15451) | more than 4 years ago | (#32586536)

Ormandy followed the rules for responsible disclosure. He reported the problem to Microsoft, and asked for a commitment to actually fixing the problem promptly. Microsoft refused to commit to fixing it. Ormandy then published the details, including the means for others to confirm it was actually a problem, so the rest of us could take steps to protect our systems. This had the desired result: it forced Microsoft to step up and fix the problem. Had Microsoft committed to this from the start, they wouldn't be faced with public disclosure. I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

Re:Ormandy did excercise responsible disclosure (-1, Troll)

Daltorak (122403) | more than 4 years ago | (#32586740)

I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk

So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS and presumably was never exploited in all that time, but now, all of a sudden some guy decides that it's vitally important to announce to the world, just a few days after submitting the bug report, that HEY EVERYONE, THERE IS AN EXPLOIT, AND HERE IS HOW YOU USE IT.

Had he kept his mouth shut, your systems would be safer.

Re:Ormandy did excercise responsible disclosure (3, Interesting)

MeNeXT (200840) | more than 4 years ago | (#32586804)

you are assuming his system would be safer when in fact it is NOT.

Re:Ormandy did excercise responsible disclosure (4, Informative)

drinkypoo (153816) | more than 4 years ago | (#32586848)

So then place the blame squarely on the "responsible" Google engineer for putting your systems at risk! This bug has existed in Windows XP for NINE YEARS

This bug has been in Windows XP for nine years, but it's this Google engineer's fault? Not unless he's a former Microsoft employee, the one responsible for creating the bug in the first place.

Had he kept his mouth shut, your systems would be safer.

No, they would seem safer, but be less safe.

Re:Ormandy did excercise responsible disclosure (2, Informative)

Khyber (864651) | more than 4 years ago | (#32586942)

No they wouldn't be any safer.

This exploit has been known about in security circles for AGES.

And MS has had several warnings, one from myself included, about four years ago.

Re:Ormandy did excercise responsible disclosure (3, Funny)

Barny (103770) | more than 4 years ago | (#32587010)

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

I will not fear, fear is the mind killer, fear is the little death that brings total oblivion...

Re:Ormandy did excercise responsible disclosure (1)

linux4u1 (698647) | more than 4 years ago | (#32587054)

interesting except you never know that a black hat hacker has not been exploiting this for 9 years and not sharing his exploits, bugs should be disclosed very soon because you never know how long someones been using said undisclosed exploit. if you find a bug don't you think others find it too. at the same time some company's release said products with that bug and just might have known about it when it was released and didn't want to address said issues.
anyway theres no point for software to ever be perfect if a company wants you to buy a new version. how many patches have been re-patched because they added new problems. anyway these are some of the main problems with closed source software.

Re:Ormandy did excercise responsible disclosure (1)

Onymous Coward (97719) | more than 4 years ago | (#32587092)

and presumably was never exploited

...

He sounds like kinda a dick (0)

Anonymous Coward | more than 4 years ago | (#32586826)

From the sec mailing list:

Susan, this is what is called "full disclosure", and my response was
relevant.

I will not answer anymore uninformed questions on this topic.

Thanks, Tavis.

On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote:

        I'm not asking about disclosure. I'm asking what happened to the level
        of communication between you and MSRC that after 4 days you posted this?

        Tavis Ormandy wrote:

                Susan, I wish I had the time to hold your hand through getting up to
                speed on the disclosure debate. Instead, I would suggest starting with
                the links in my advisory which were intended to give you enough
                background to understand the issues involved (skip to the Notes section,
                if you like).

                As I cannot hope to speak as eloquently on the topic as Bruce, I will
                not attempt to repeat them for you here.

                If after researching the topic you still have questions, please let me
                know.

                Thanks, Tavis.

Re:Ormandy did excercise responsible disclosure (1)

oddTodd123 (1806894) | more than 4 years ago | (#32586834)

I have no sympathy for Microsoft, nor for any other vendor who puts my systems at risk because they don't want to fix their own bugs.

Hey wait a minute. Who installed Microsoft software in the first place? Clearly it's the users and admins who put the systems at risk, not Microsoft!

Re:Ormandy did excercise responsible disclosure (1)

Jaktar (975138) | more than 4 years ago | (#32587080)

It seems to me that Ormandy did not follow all the rules of responsible disclosure as defined by Microsoft and injected some of his own (or Googles) rules into the process that is already established at Microsoft. Here's the link to MS's responsible disclosure site:
http://www.microsoft.com/security/msrc/collaboration/ecostrat.aspx [microsoft.com]

Absent is any mention of a timetable from MS's site. MS's procedure is the result of talks in 2001-2002 with multiple vendors as to how they were going to handle reporting of bugs/exploits. If Google handles their bugs differently, that's Google's business. Ormandy would have been kept in the loop regarding the time table for the fix but he took it upon himself to bypass the whole procedure.

A means to pose the Question.... (0)

Anonymous Coward | more than 4 years ago | (#32586568)

"To Cloud or not to Cloud"

Deduced, simply by the source (Google) their effort and the time line.

The Bigger question is...

Who controls YOUR relationships?
You or others?

Think about it.

Services.msc, use it! (5, Informative)

jack2000 (1178961) | more than 4 years ago | (#32586588)

HA help and support center, i've had that service disabled since i installed this thing long ago! If you try to run anything with the hcp protocol it flatout tells you:

Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'.

So you can disable that service and be at east that nothing is going to happen to you or your users.

Re:Services.msc, use it! (2, Interesting)

QuantumG (50515) | more than 4 years ago | (#32586670)

So why didn't Microsoft push out that command via Windows Update as soon as the bug was reported? They have the power to prevent a single user from being attacked by this vector, why didn't they? They could even make the message more informative.

Re:Services.msc, use it! (1)

jack2000 (1178961) | more than 4 years ago | (#32586764)

not something Microsoft would want to do, even though the Help and support center is of questionable use. That's why i disabled it in the first place.

bring it (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32586616)

Well.. to the m$oft fan boys- suck me- Let me tell you, No other company but Msoft can release a pile of shit like this one. Just today I boot to play EQ2- The only time Im on this turd of an os and hey! No sound! wow- reboot and guess what- sound! ohh but the networks down-- reboot and everythings up and fine-- then 10 minutes into it- sound goes out again. just to be sure- reboot into Ubuntu- no issue at all- reboot again into SuSE and wow, no problems. reboot into fucking windows and -haha-- no network... FUCK this thieving shit selling company! Why can't the fucking world see this shit for what it is? SHIT, nothing more.

Conspiracy! (0)

Anonymous Coward | more than 4 years ago | (#32586632)

In a battle between multi-billion dollar entities, this is clearly a play by Microsoft to fight Google.
"We told you so! We told you so! ...Oops... is that our dev's handle in the comments? Better fix that..."

MicroSilly (2, Insightful)

defective_warthog (776271) | more than 4 years ago | (#32586684)

BUYER be Aware. Is that enough said? Oh well it will make some more time for the MS admins out there. I wonder if they don't just leave this crap out there to continue to support their partners? I have over ten years on Linux as mostly a home user. I guess it is a case of "Stupid is as Stupid does". Peace Yall.

HOW TO SCORE? (0)

Anonymous Coward | more than 4 years ago | (#32586726)

Own goal Microsoft, or goal Google?

Somebody from the UK here? You are experienced in own goals, so what do you say?

Well, I'm not Tavis (1)

pem (1013437) | more than 4 years ago | (#32586774)

but if I had done what he did (negotiated diligently yet fruitlessly with MS for five days), I would probably reserve judgment for whether or not I was "pleased with myself" until I saw how Microsoft acted when they received my next bug report...

Of course, I might also be "pleased with myself" if my employer had a policy of huge bonuses for published zero day exploits. I dunno whether this happens or not, just sayin' I'd be very pleased to get such a bonus, and would work quite hard to try to get another one.

Killing the messenger is always easy (0)

Anonymous Coward | more than 4 years ago | (#32586802)

Of course, instead of trying to blame the guy who published the vulnerability, clueless bloggers could just look at the people who actually created it, and ask them "so why, exactly, do you only release patches once a month?".

It's frickin' obvious: Microsoft created the code, Microsoft provided the infrastructure, Microsoft is aware of it, Microsoft has the ability to create a patch, Microsoft has the resources to provide the patch.
This is a Microsoft issue start to finish, and blaming the messenger for Microsoft's incompetence and unwillingness to deal with vulnerabilities with the speed they require only shows that the bloggers in question are either a) lacking common sense, or b) Microsoft shills.

I got hit with this exploit yesterday (1)

js3 (319268) | more than 4 years ago | (#32586812)

I don't remember exactly which site but while looking up some coding related issues for vs2010 port all of a sudden norton antivirus starts freaking out about malicious programs, then the UAC kicked in constantlhy asking to run cmd.exe prompting me to reboot. MSHTA.exe was hit with some trojan that tries to root the system. I got lucky with win7 64 and norton av, but yea it's weird a source code site would launch this nonsense.

Re:I got hit with this exploit yesterday (2, Interesting)

ashridah (72567) | more than 4 years ago | (#32587072)

I wouldn't have been surprised if it was actually one of the ad servers the site uses.

Why do people still use xp? (1)

shoehornjob (1632387) | more than 4 years ago | (#32586880)

The damn thing will be 9 years old this august. It has more holes in it than swiss cheese. It came with IE6 which most would agree is the most compromised browser of all time. Why are people still using this thing? I work in a call center and about 85-90% of people I deal with are still using windows XP. Fortunately there seem to be far fewer people using IE6. Considering the amount of trouble they get themselves into (drive by attacks "it said click here so I did. why doesn't my computer work?)it doesn't really matter what browser they use anyway. The problem here is a lack of basic computer literacy. In my experience the general public has this plug and play attitude to computing because they are not forced to learn anything. It makes everything support has to do for a customer that much harder. I don't care if you were stupid enough to click on this popup because it said you have 800 viruses on your computer. Best buy must be making a killing off these people.

Mitigation? (3, Informative)

Derek Pomery (2028) | more than 4 years ago | (#32586998)

My understanding is that Firefox disables hcp:// by default:
network.protocol-handler.external.hcp = false

And since the only other demo I saw in code was using Windows Media Player plugin which apparently, for some insane reason, parses HTML in MSHTML, can't you just disable the WMP plugin in Addons?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...