Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Has No Plans To Patch New Flaw

timothy posted more than 4 years ago | from the who-uses-usb-drives-anyhow dept.

Security 217

Trailrunner7 writes "Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

cancel ×

217 comments

Sorry! There are no comments related to the filter you selected.

Certificate revoked (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32944622)

The certificate was revoked.

Does it mean I need to update my drivers from Realtek, otherwise it spits them out?

Re:Certificate revoked (5, Informative)

arth1 (260657) | more than 4 years ago | (#32945776)

The certificate was revoked.

Does it mean I need to update my drivers from Realtek, otherwise it spits them out?

No. Windows' security model only checks the certificate during install.

And even so, it doesn't update the revocation list automatically on install, nor does it check with OCSP; you won't get the revocation certificate unless you specifically install "Root certificate updates" through Microsoft Update, which is usually is found on the "optional" installs. So chances are that a lot of people will be able to install this malware in the future too.

Re:Certificate revoked (5, Informative)

mosschops (413617) | more than 4 years ago | (#32945988)

Windows' security model only checks the certificate during install.

64-bit versions of Vista and Windows 7 require a valid Class 3 code signing certificate to load the driver, not just on installation. Revoking that certificate will stop the devices from working, as the parent poster suspected. Though it may not be the same certificate for all Realtek uses.

Re:Certificate revoked (1)

arth1 (260657) | more than 4 years ago | (#32946706)

64-bit versions of Vista and Windows 7 require a valid Class 3 code signing certificate to load the driver, not just on installation.

No, they require a Microsoft Windows Hardware Compatibility signing certificate for loading on 64-bit systems, which the Realtek certificate isn't.
The 3rd party root signing certificates are just checked when installing.

Re:Certificate revoked (1)

yuhong (1378501) | more than 4 years ago | (#32946838)

Well, why do you think they signed the rootkit with a certificate?

Re:Certificate revoked (0)

Anonymous Coward | more than 4 years ago | (#32946774)

What are you talking about?

The root certificate updates have nothing to do with CRLs.

Windows by default will cache all of the CRLs from distribution points specified by installed root certificates. If it couldn't get an updated CRL within its frequency window then it'll use OCSP to verify certificates on demand. The root certificate update has nothing to do with this.

Possible mitigation? (4, Insightful)

Khyber (864651) | more than 4 years ago | (#32944624)

Couldn't they just start making driver signatures verify with the hardware they support instead of the OS? Screw the OS saying whether or not it's legit, does the actual hardware it's meant for say it's legit code?

Re:Possible mitigation? (4, Funny)

beelsebob (529313) | more than 4 years ago | (#32944636)

Yes, that's working out really well for Motorola's publicity department with the Droid X just now.

Re:Possible mitigation? (2, Interesting)

Khyber (864651) | more than 4 years ago | (#32944702)

There is a small difference to note, however; One is addressing an entire hardware set (motorola) the other is using code from a piece of hardware (is it a sound card/network driver certificate that got jacked?)

Actually, bad example. let me see what my medicated brain can re-think.

It's more like this, Motorola is stopping you from using hardware you purchased in a manner you wish with a hardware security check, where on the other hand, someone usurped a certificate from Realtek and used that to bypass security checks in a software-based system.

To prevent such an attack, I'd force those certificates to authenticate with the particular hardware. If the certificate came from the sound card drivers, the ENTIRE code should be authenticated by the sound card. Not sound card code behind that certificate? Denied.

Re:Possible mitigation? (4, Informative)

Drew M. (5831) | more than 4 years ago | (#32944806)

Did you even read the summary? Realtek's signing keys were stolen. That's why Verisign revoked them. Putting the verification keys in hardware wouldn't fix this issue.

Re:Possible mitigation? (2, Insightful)

AusIV (950840) | more than 4 years ago | (#32945712)

If anything, it would make things worse because they'd be harder to revoke.

Re:Possible mitigation? (1)

Khyber (864651) | more than 4 years ago | (#32946144)

Did you read my idea? Run verification key PLUS CODE through the hardware itself. If the key matches the hardware but the code produces BS results in the hardware (such as a nonsensical static when it should get several test tones,) then it gets denied.

Re:Possible mitigation? (1)

BronsCon (927697) | more than 4 years ago | (#32946926)

So, you're saying you want to be stuck with the buggy driver that ships with the hardware, rather than the at least semi stable one that ships a year later?

Re:Possible mitigation? (3, Informative)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32944892)

Excellent idea. In that way, when companies refuse to develop free drivers for GNU/Linux, we won't be able to make our own because the hardware will reject them. And all of that just because microsoft refuses to make a secure operating system because they want to keep users buying new versions, antivirus software, etc. And because the users refuse to switch to an operating system that works.

Brilliant idea.

Re:Possible mitigation? (3, Insightful)

drsmithy (35869) | more than 4 years ago | (#32945636)

And all of that just because microsoft refuses to make a secure operating system [...]

Can you outline what features and capabilities of a "secure operating system" are missing from Windows ?

Re:Possible mitigation? (0, Troll)

Anonymous Coward | more than 4 years ago | (#32945768)

drsmithy,

If you don't already know it's simply due to willful ignorance.

Re:Possible mitigation? (1, Troll)

cynyr (703126) | more than 4 years ago | (#32945872)

lack of a *.lnk based root kit, the ability to audit the source, the lack of ability to run 99% of the viruses in the wild.[1]

Can you run any version of windows from something like a ramdisk, so there is no real way to write to the disk? how about the old, start the system up, shut it down, but leave iptables running router hack? A highly transparent bug/flaw reporting system, with a quick turn around?

If you hear of a mac mini pro, let me know. :)

[1]yes yes, all strawmen, but the issue for me is the last version of windows I used was XP. So I'm out of date.

Re:Possible mitigation? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32946860)

Can you run any version of windows from something like a ramdisk, so there is no real way to write to the disk? how about the old, start the system up, shut it down, but leave iptables running router hack? A highly transparent bug/flaw reporting system, with a quick turn around?

Yes you can. You can run DOS from a RAMdisk, why wouldn't you be able to do that with Windows. Lookup BartPE (no link provided on purpose). You can hack Windows into a lot of things. The problem with Windows detractors/alternative evangelists is they often spread myths about lack of capabilities of an demon operating system that many know are false or they even equivocate capabilities to a alt OS that are arguably inferior to the competition (yes, there are some things in the Windows API that are superior to POSIX... Yes there really are a few things)... and at that point are summarily dismissed as being idiots (and this is partially true).

If you're going to criticize a book, for instance, it is problematic to start misquoting it.

Windows sucks ass, but I'm not going to start off evangelizing by making stuff up.

Re:Possible mitigation? (1)

Khyber (864651) | more than 4 years ago | (#32946158)

Indeed, I should patent it quickly, so that it may not come to pass without my blessing!

Re:Possible mitigation? (0, Flamebait)

Saeed al-Sahaf (665390) | more than 4 years ago | (#32946240)

Excellent idea. In that way, when companies refuse to develop free drivers for GNU/Linux, we won't be able to make our own because the hardware will reject them.

So what? You're not required to buy or use any particular hardware.

Re:Possible mitigation? (0, Troll)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32946416)

Would you stop that free market bullshit?

Companies should be regulated, and the implied warranties should be extended, to cover more things for certain products.

A lot of people made a huge fuss regarding that laptop app for face tracking that didn't work for blacks because it was "discriminatory" but every day hardware and software is sold that discriminates against users of non-microsoft operating systems, yet no one gives a fuck.

Re:Possible mitigation? (1, Troll)

Saeed al-Sahaf (665390) | more than 4 years ago | (#32946832)

Would you stop that free market bullshit?

It's ***NOT*** "free market bullshit". It's ***YOU*** taking control of your purchaseing and buying products that work for you, rather than bitching, moaning, and complaining about Microsoft. If you ***LIKE*** to bitch, moan, and complain, I imagine that you are married or getting a divorce. But most people AVOID bitching, moaning, and complaining. So buy stuff that works for you and leave the rest behind. UNLESS you are like RMS, and just like to BITCH MOAN AND COMPLAIGN about Microsoft.

Re:Possible mitigation? (3, Insightful)

westlake (615356) | more than 4 years ago | (#32946604)

And because the users refuse to switch to an operating system that works.

The number of PC users is about 1 to 1.2 billion, based on most estimates I've seen. That would put the number of Windows users at 900 million to 1 billion, at all skill levels.

I will take that as pretty strong evidence that the Windows OS works just fine for those who use it.

In that way, when companies refuse to develop free drivers for GNU/Linux, we won't be able to make our own because the hardware will reject them.

I suspect that signed drivers are inevitable, whatever your platform.

Re:Possible mitigation? (0, Troll)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32946800)

Oh yes, sure, the fact that 1 billion computers around the world use windows surely proves that windows works fine. Specially considering that 99.5% of all email around the world is spam coming precisely from all those zombie windows boxes.

Also, signed drivers and drivers that are checked by the hardware itself are a different thing.

You are ignorant, and your argument is invalid.

Re:Possible mitigation? (0, Troll)

hairyfeet (841228) | more than 4 years ago | (#32946906)

Hate to break the new to you GNU dude, but as a PC repairman I can say that it doesn't matter WHAT OS is used when the underlying problem is PEBKAC. So unless you are ready to hand over 95%+ of your income in taxes to pay for the education in computers for those hundreds of millions of PEBKACs (and nobody gives a fuck if you say RTFM dude, this is reality where shit costs) then tough luck. Linux is no more a "magic bullet" than anything else, or did you miss the malware spread through GNOME Look awhile back?

The simple fact is there is a REASON why Windows has 90%+ of the desktops, and it is a reason I doubt FLOSS will ever fix-highly specialized apps. while just running Firefox and OO.o may work for you, there are literally millions of highly specialized apps from parts tracking to medical note taking where there are NO FLOSS equivalents which would cost billions to pay to have someone replicate the functionality of (and thanks to software patents may be illegal to replicate anyway) and when you figure in the amount of hardware that would have to be tossed because of no FLOSS drivers (plenty of highly specialized parts like C&C controllers are also Windows only) and the billions in retraining and the higher cost of Linux admins (if any are even available) you often find that "Free as in freedom" will cost the company much more than Windows licenses ever will.

So you can complain about Windows zombies all you want, working in the shop you'd be surprised how many of those are from "must see teh titties!" guys that would click on ANYTHING, but neither Linux nor BSD nor anything else is a "magic bullet" that will make PEBKAC disappear. And as we have seen "educate the users" doesn't exactly work, or we wouldn't still have 419 scams after all these years. So sorry GNU dude, but stupid is as stupid does, and if you switched the majority of PEBKACs to GNU tomorrow by the day after there would be so many "Hot_bitches.sh" files going through emails it would make your head swim. So just get on your knees and thank RMS that the PEBKACs are on Windows, and pray they stay there.

Re:Possible mitigation? (0)

Anonymous Coward | more than 4 years ago | (#32946830)

Microsoft don't maliciously make poor software intending that the user buy the same rubbish over and over again.. I know that it's hard to believe but it's actually pure stupidity.

Re:Possible mitigation? (0)

Anonymous Coward | more than 4 years ago | (#32945016)

There is a small difference to note, however; One is addressing an entire hardware set (motorola) the other is using code from a piece of hardware (is it a sound card/network driver certificate that got jacked?)

Actually, bad example. let me see what my medicated brain can re-think.

It's more like this, Motorola is stopping you from using hardware you purchased in a manner you wish with a hardware security check, where on the other hand, someone usurped a certificate from Realtek and used that to bypass security checks in a software-based system.

To prevent such an attack, I'd force those certificates to authenticate with the particular hardware. If the certificate came from the sound card drivers, the ENTIRE code should be authenticated by the sound card. Not sound card code behind that certificate? Denied.

Um, and how do you propose to code that, exactly?

There's a reason no computer can detect that it's in an infinite loop. Study Turing someday.

Re:Possible mitigation? (2, Funny)

PopeRatzo (965947) | more than 4 years ago | (#32945438)

let me see what my medicated brain can re-think.

Did you bring enough to share with the whole class?

Careful with that idea... (2, Informative)

Trerro (711448) | more than 4 years ago | (#32944766)

The ATI video card I have fails hard on XP64, so I got a driver some random guy that has nothing to do with ATI made instead, and it works great. If I were stuck using only drivers that were ATI-approved, I'd be majorly SoL.

I'm all for having the hardware verify that the driver actually is a valid driver for the hardware in question, just make sure that's ALL it does, or we'll lose the ability to use someone's hack to force a piece of hardware to work.

Re:Careful with that idea... (0)

Anonymous Coward | more than 4 years ago | (#32945124)

What ATI card do you have? Every ATI card I've used under XP x64 (x1950, HD 3870 and HD 5750) work just fine.

Re:Careful with that idea... (2, Funny)

X0563511 (793323) | more than 4 years ago | (#32946828)

Welcome to the world of ATI-Fail. Enjoy your stay

Re:Possible mitigation? (0)

Anonymous Coward | more than 4 years ago | (#32944774)

All you've done is moved the public key. Not much help if the private key is compromised.

Re:Possible mitigation? (0)

Anonymous Coward | more than 4 years ago | (#32944866)

And moving it makes things worse. Changing or revoking the public key when it's in the OS is a lot easier than changing the public key when it's burned into a ROM used by the sound card.

Re:Possible mitigation? (3, Interesting)

Arainach (906420) | more than 4 years ago | (#32945108)

That eliminates the possibility to revoke a certificate if one is comprimised. Also, it leads to situations like the TI calculator incident, which Slashdot seems to hate.

Re:Possible mitigation? (1)

cynyr (703126) | more than 4 years ago | (#32945886)

yep, and it's what the "TIVO" clause in the GPL3 is for. I bought the hardware, I can do as i like with it, including blend it, make it into a rocket(not for sooting at something, but like a model rocket), use it to prop the window open, etc. The reason that TI doesn't like it, is they sell the same hardware with additional software features for a premium this way, and people buying a lowend calculator and flashing advanced firmware on it hurts their profit part.

Re:Possible mitigation? (1)

mysidia (191772) | more than 4 years ago | (#32945190)

Since the driver is what actually interprets the messages sent from the hardware... the driver will have to tell the OS whether or not the hardware says the driver is legit.

See the problem? There's a trust model violation inherent to the idea of 'asking the hardware if the driver is OK'

Oh... and what if a piece of malicious hardware is plugged in, or for that matter, a piece of hardware that already has malicious firmware on it?

Then the compromised hardware can just say 'YES'.. 'This (malicious driver), is of course legitimate.'

Re:Possible mitigation? (1)

Khyber (864651) | more than 4 years ago | (#32946192)

"the driver will have to tell the OS whether or not the hardware says the driver is legit. "

Just give it something similar to a POST. Make it OS agnostic. If the signed code comes from a video card, run the code to see if it's capable of handling what would be required to run a video card.

This doesn't break a goddamned thing, to those that think it does. If you write your video driver PROPERLY, it will check with the video card fine. a tiny rootkit with hardly any functionality will most likely not, and thus fail miserably.

Re:Possible mitigation? (3, Interesting)

RCL (891376) | more than 4 years ago | (#32945226)

I don't like security news precisely because they result in such overreactions like yours one.

We should not care about security too much. Security is the opposite of freedom, and by concentrating our efforts on security we may end up with completely locked environment.

It's better to tolerate certain threshold of hijacked/owned computers than to require hardware verify the software.

Re:Possible mitigation? (0, Flamebait)

Khyber (864651) | more than 4 years ago | (#32946214)

I wonder how many times I could screw your computer before you'd change your mind. When I take your information and screw your financial history? How about I stalk your wife using the stolen info I have, and rape her, would you reconsider that threshold of security? No? How about I kidnap your children, they're pretty easy targets now that I've been able to glean so much information from your hijacked systems that you're willing to put up with.

Bad idea, pal.

Re:Possible mitigation? (1)

Husgaard (858362) | more than 4 years ago | (#32946770)

We should not care about security too much. Security is the opposite of freedom, and by concentrating our efforts on security we may end up with completely locked environment.

Welcome to the physical world. If you do not like security and are afraid to be locked out of your own house, you are free to remove the lock on your front door.

Drivers aren't just for hardware (1)

RulerOf (975607) | more than 4 years ago | (#32946436)

Couldn't they just start making driver signatures verify with the hardware they support instead of the OS?

That's a really, really bad idea.

Drivers are for hardware, yes, but they're also for software too. As soon as you switch to that type of signature verification model, you lose the ability to load drivers for virtual hardware, like ImDisk. [ltr-data.se] Microsoft's iSCSI initiator is also a virtual mass storage driver, and that wouldn't work either.

There's probably a gazillion other examples, but generally speaking, driver and software signing as it's currently implemented is working well enough for most things. It's just a shame it's so god damned expensive to get a driver signature or code signing certificate for something like a small FOSS project.

Re:Possible mitigation? (1)

supersat (639745) | more than 4 years ago | (#32946618)

What about non-hardware drivers, like anti-virus drivers, virtual devices, etc? Or drivers for generic devices like USB HIDs? And if a manufacturer's certificate gets compromised, what do you do? Require people to update their hardware or face an increased risk of malware? Require people to reflash their hardware? How do you secure the reflash process? What if it crashes in the process? Do you have bricked hardware?

Was there a point to this? (1)

amiga3D (567632) | more than 4 years ago | (#32944626)

I'm not getting it. There's a security problem and MS refuses to fix it? Really? How many times has this happened before? It's happened enough that I didn't even blink at it. It's like saying a politician told a lie. So?

Re:Was there a point to this? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32944708)

it's hardly an OS problem if some wanker has written a nasty driver then signed it with a legit cert
dam i consider most of my linux wifi driver malicious

Re:Was there a point to this? (3, Insightful)

0123456 (636235) | more than 4 years ago | (#32944734)

it's hardly an OS problem if some wanker has written a nasty driver then signed it with a legit cert

I somewhat disagree: it clearly shows the flaws in an either/or trust model of that kind. Either it's signed and it's trusted to do anything at all to your system or it's not trusted to do anything at all... you only need one rogue signing key to break that model.

Re:Was there a point to this? (2, Insightful)

TheRaven64 (641858) | more than 4 years ago | (#32944936)

Do you propose a better model? How about the Linux model, where if the user decides to load it then it can do absolutely anything with the system? Of course, it would be great to be able to run drivers in unprivileged mode, but until we have an IOMMU in every system that won't actually buy any security (a malicious driver can just tell the device to DMA random data from anywhere in physical memory to the device and then back to the driver's address space, or data from the driver's address space into another process's).

Re:Was there a point to this? (5, Informative)

0123456 (636235) | more than 4 years ago | (#32945114)

Do you propose a better model?

Yes, don't trust anything unless you absolutely have to. In user land, for example, we have SELinux and Apparmor to prevent applications from accessing things they shouldn't; protecting the kernel is obviously harder.

How about the Linux model, where if the user decides to load it then it can do absolutely anything with the system?

Generally speaking, Linux drivers are only installed if signed by the distro repository, and you have to trust that key: if it's compromised you're toast. Windows has three bazillion drivers signed by three bazillion keys and only one needs to be compromised.

Nor will Linux drivers be loaded automatically from a random USB key just because you browsed there.

Re:Was there a point to this? (5, Interesting)

rawler (1005089) | more than 4 years ago | (#32945368)

Generally speaking, Linux drivers are only installed if signed by the distro repository

Actually, for most distros, "drivers" (code executed as root, which is the main barrier in a Linux-system) are installed if they're signed by _any_ key in the keyring, including 3:d-party repositories.

Many people add 3:d party repositories to access newer versions of various packages, or packages not included in the distro, significantly increasing the attack vector. If you manage to get a hold of a key for any of those repository-signers, you pretty much have root-access to thousands-millions of users.

One of the things Linux distributions must really rethink is the concept of 3d-party software, and how it can be integrated and allowed more safely than it is today.

One concept could be special repository-system for 3:d-party packages, chrooted to separate container, and not allowed to execute any scripts during installation (or allowed, but at non-root privileges). Another idea could be per-user installs of 3d-party apps that installs to $HOME/.local or similar, and never root.

Re:Was there a point to this? (0)

Anonymous Coward | more than 4 years ago | (#32945498)

> One of the things Linux distributions must really rethink is the concept of 3d-party software, and how it can be integrated and allowed more safely than it is today.

A point of open source is that everything is third party. Now we should have open source emulate the Steve jobs theory of software? All your codes belong to me?

Re:Was there a point to this? (0)

Anonymous Coward | more than 4 years ago | (#32945742)

You mean like how its supposed to work, with only basic and important things in /bin /sbin and the like?

Re:Was there a point to this? (0)

Anonymous Coward | more than 4 years ago | (#32946462)

Yah, the honor system worked wonders for Windows, you bonehead.

Re:Was there a point to this? (1)

sjames (1099) | more than 4 years ago | (#32945598)

Nor will Linux drivers be loaded automatically from a random USB key just because you browsed there.

That's the big point. It doesn't matter if drivers are signed or not nor does it matter if someone steals a random signing key IFF the OS doesn't go installing drivers from random USB keys that get plugged in.

USB devices are well defined so that as long as the vendor doesn't do something incredibly stupid like hiding all of the functionality behind a vendor specific extension, you don't usually need a bunch of special drivers.

For the exceptions or where the USB driver is just enough to let a userspace program control the device, just let the user install a driver.

The signing is not entirely useless as long as something being signed doesn't make it automatically trusted so that it doesn't have to get user permission (oops).

Re:Was there a point to this? (1)

mhall119 (1035984) | more than 4 years ago | (#32946710)

Still, on most Linux distros you're talking about maybe a dozen keys that the user themselves specifically trusted, and the chances of any 2 Linux users trusting the same 3rd party will be remarkably small. Under the Windows model, any Verisign trusted certificate will get you access, there's got to be millions of those (unless they restrict drivers to a different root certificate than app or website signing, but even then it'll be in the thousands), and if any one is compromised then every Windows user would be vulnerable.

Re:Was there a point to this? (1)

YesIAmAScript (886271) | more than 4 years ago | (#32945612)

Yes, don't trust anything unless you absolutely have to. In user land, for example, we have SELinux and Apparmor to prevent applications from accessing things they shouldn't; protecting the kernel is obviously harder.

You can set Windows to trust even less. In general a user can't install drivers at all on Windows, it takes an administrator to do it. If the administrator decides to install something without checking it well first, you're boned no matter what other steps you took.

Nor will Linux drivers be loaded automatically from a random USB key just because you browsed there

This is not a problem with the model, it is a bug in the implementation. Are you saying linux doesn't have any coding errors in it?

With this bug, the code only runs as the current user. So if the current user isn't an administrator, there's no risk of infection of the entire system although everything that user does can be affected. Again this isn't any different from linux.

Re:Was there a point to this? (0)

Anonymous Coward | more than 4 years ago | (#32945096)

Hey dumbass, the compromised key is just part of the problem, the attack starts from a problem in window's handling of .lnk files, which apparently MS refuses to fix. It's in the fucking summary.

Re:Was there a point to this? (1)

Kepesk (1093871) | more than 4 years ago | (#32944830)

Yeah, Microsoft already has our money. Why would they bother trying to fix the problems? This is the problem with near-monopolies.

Re:Was there a point to this? (1)

drsmithy (35869) | more than 4 years ago | (#32945646)

Yeah, Microsoft already has our money. Why would they bother trying to fix the problems? This is the problem with near-monopolies.

Every single patch and update Microsoft has ever released refutes your broken argument.

Re:Was there a point to this? (1)

commodore64_love (1445365) | more than 4 years ago | (#32944902)

>>>It's like saying a politician told a lie.

Yes but some people still think politicians/government are completely honest so they need a reminder from time to time that they aren't. Likewise some people think Windows is safe. Just this morning a Slashdotter posted that Windows is no more insecure than Linux. This story proves them wrong. (If this was Linux it would be fixed within a week, but some resourceful OSS programmer.)

Re:Was there a point to this? (2)

dupeisdead (711704) | more than 4 years ago | (#32945202)

Reading the referencing articles and Microsoft's sites... They're not refusing to fix it. They said they're investigating and there's no plans to release an immediate fix. At best, this could summary could be stretched to "urgent 0day attack vector that Microsoft hasn't released a fix for". I wish there was a way to rate articles as flamebait. Somedays Slashdot is just like playing the "Telephone Game". sigh!

Way to mislead abusing the headline to drive hits (1, Informative)

Anonymous Coward | more than 4 years ago | (#32944642)

No plans to patch flaw right now, as in some OOB patch knuckehead

Source? (5, Insightful)

Arainach (906420) | more than 4 years ago | (#32944688)

I know Slashdot's editorial standards have dropped, especially when it comes to Anti-Microsoft articles, but there is no link here to any article that claims Microsoft has no plans to patch the flaw. Do we even have editors anymore?

Re:Source? (0)

Khyber (864651) | more than 4 years ago | (#32944744)

No need to patch it if they're aware and can just incorporate the fix into WSE.

Re:Source? (1, Troll)

jwilhelm (238084) | more than 4 years ago | (#32944752)

Microsoft statement via Technet blog:
http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx [technet.com]

Re:Source? (4, Informative)

Arainach (906420) | more than 4 years ago | (#32944770)

That's from their Anti-Malware team talking about how they detect it. Nowhere does it say that they have no plans to fix the bug.

Re:Source? (0, Troll)

jwilhelm (238084) | more than 4 years ago | (#32944804)

Here's a statement from the MSRC (Microsoft Security Response Center) blog:
http://blogs.technet.com/b/msrc/archive/2010/07/16/security-advisory-2286198-released.aspx [technet.com]

Re:Source? (5, Funny)

complacence (214847) | more than 4 years ago | (#32944862)

Here's a picture of a pony:
http://babybird.files.wordpress.com/2009/08/pony.jpg [wordpress.com]

What are you trying to do here? There still is no outright refusal to fix this.

Instead it says:

We will continue to investigate the vulnerability and, upon completion of that investigation, we will take appropriate action to protect our customers.

Re:Source? (0, Troll)

jwilhelm (238084) | more than 4 years ago | (#32944940)

I never said they were fixing it or not fixing it. The original comment was about a lack of primary source material being linked to. I was providing statements by Microsoft for additional information.

jwilhelm BUSTED! (0)

Anonymous Coward | more than 4 years ago | (#32945552)

I never said they were fixing it or not fixing it.

Don't be disingenuous. You were posting that first link clearly in response to someone saying "There are no links to Microsoft saying they're not going to fix this problem". I might have believed you just didn't read the first link and assume you'd just made a mistake, but when someone then correctly said "Well, that document doesn't say anything about not fixing the problem" you came up with a second link that ALSO did not address the issue of fixing or not fixing the problem.

Now that both links have been shown not to contain any statement saying the problem would not be fixed, you're all like "Aw shucks, I was just a-tryin' to help". You claim that you were just providing "additional information" but if the issue is whether or not Microsoft is planning to fix or not fix the problem, then neither of your links provide any "additional information" at all. You were clearly pretending that those links somehow included a statement from Microsoft that they were not going to fix this problem. That's some sleazy shit right there.

You were trying to make it look like those links said something they did not, and you were relying on people's unwillingness to actually go and read TFAs to slip it by. People like to mod helpful links as "Informative" so you were hoping that once you were modded up, people would be even more inclined to oblige you by assuming your links actually provided proof that Microsoft was not going to fix this problem.

I'm no friend of Microsoft, and I don't really care one way or the other, but I hate this kind of perfidy. It's underhanded, intellectually dishonest and stinks up the place. The fact that you believed you'd get away with it, with your low Slashdot UID, makes you a real worm.

If you're made of anything at all, you'll admit what you did and apologize.

Re:jwilhelm BUSTED! (1)

suctionman (1855020) | more than 4 years ago | (#32945980)

Perhaps a little unwarranted? Poor jwilhelm only peed in the sewage.

Re:Source? (0)

Anonymous Coward | more than 4 years ago | (#32945036)

Here's a picture of a pony:
http://babybird.files.wordpress.com/2009/08/pony.jpg [wordpress.com]

that's disturbingly hot. thx!

xoxo
m33t

Re:Source? (1)

complacence (214847) | more than 4 years ago | (#32945082)

Yeah, I think it's censored, though. Sorry.

Re:Source? (2, Funny)

jesset77 (759149) | more than 4 years ago | (#32945300)

Here's a picture of a pony: http://babybird.files.wordpress.com/2009/08/pony.jpg [wordpress.com] [wordpress.com]

Gah, whyfor are things (badly) photoshopped out of the left and right sides of that image?

Stalin, is that you?

Re:Source? (0)

Anonymous Coward | more than 4 years ago | (#32945338)

Those bastards!

Re:Source? (1)

KarmaMB84 (743001) | more than 4 years ago | (#32944888)

We recommend that customers follow the guidance provided in the Security Advisory, making note of mitigations and tested workarounds. We will continue to investigate the vulnerability and, upon completion of that investigation, we will take appropriate action to protect our customers.

So they'll fix or it not fix it once they've complete their investigation of the problem.... sounds about right.

Re:Source? (-1, Troll)

jellomizer (103300) | more than 4 years ago | (#32944756)

WHy would we need a Link Microsoft is Pure Evil... They Never make any improvement to its products. They hate all their customers. And their business structure will never change. Any changes that they do has some evil nefarious reason behind it. While Linux or Google can do the same thing but it is a good thing.

Re:Source? (5, Informative)

alexhs (877055) | more than 4 years ago | (#32944784)

there is no link here to any article that claims Microsoft has no plans to patch the flaw.

To be fair the summary states

it has no plans to patch the flaw right now

Which is in the 2nd link actually.

Microsoft said it is investigating the flaw and looking at possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.

Well, from that quote to the summary, there is quite a stretch, but what did you expect ?

Well since we're going with semantics... (1)

Xacid (560407) | more than 4 years ago | (#32946286)

"no clear indication" isn't exactly a definitive response from Microsoft at all. It just means that one source hasn't heard a plan in *either* direction (to patch now/not patch now). Lots of room for ambiguity there, in my opinion.

Re:Source? (1)

sinthetek (678498) | more than 4 years ago | (#32944918)

I believe the headline is based on this statement FTA:

Microsoft said it is investigating the flaw and looking at possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.

Granted it isn't as conclusive as the headline but it does have that connotation...

Re:Source? (1)

drsmithy (35869) | more than 4 years ago | (#32945664)

I know Slashdot's editorial standards have dropped, especially when it comes to Anti-Microsoft articles, [...]

That's not really correct. Slashdot has excellent editorial standards when it comes to Anti-Microsoft articles, and have been serving up some of the best ones on the Internet for going on a decade now.

Symantec is on it! (0, Flamebait)

CrackerJack9 (819843) | more than 4 years ago | (#32944698)

they have definitions for the malware - so I guess Microsoft doesn't have to patch the hole if it can be detected ?!

It feels good (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32944726)

It feels good here using Ubuntu Lucid

Paving the way to a wave of malware? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32944738)

Refusing to fix a dangerous vulnerability outright while still acknowledging it? Riiiiiiiiiiiight....

Great news for someone like me... (0, Redundant)

Rallias Ubernerd (1760460) | more than 4 years ago | (#32944934)

I just switched my laptop over to Ubuntu Maverick. I'm not affected by this vulnerability. Of corse, I plan on re-installing Windows 7, but am not so sure I want to now.

goodie the certificate is revoked!! (0)

spottedkangaroo (451692) | more than 4 years ago | (#32945018)

Now, who's changed the defaults so that their browser actually checks the revocation cert lists? 38 people worldwide?

Re:goodie the certificate is revoked!! (3, Insightful)

butlerm (3112) | more than 4 years ago | (#32945280)

In this case, I think the question is whether Windows checks the certificate revocation lists. It is a code signature, nothing to do with the browser per se.

Can someone explain how it works? (1, Interesting)

transporter_ii (986545) | more than 4 years ago | (#32945046)

I didn't put it through exhaustive tests, but I actually tried to make some link files and put them on a usb drive and have them install something when I accessed the shortcuts in Windows explorer. No luck whatsoever. I looked for some working examples but I couldn't find any, either.

And funny, I did some work for a large oil/gas company that stored the config files for some flowmeters on usb thumb drives and left them in the battery boxes. It was really fun when the first wave of thumb drive viruses hit! That's one reason I find this story interesting.

transporter_ii

Who fault is it? (5, Interesting)

KlomDark (6370) | more than 4 years ago | (#32945228)

I think Microsoft is right on this issue. This problem is truly not theirs, except for the amount it negatively affects them. (Which they can do little except attempt spin control on the issue.)

They designed their driver verification process intelligently: By implementing the requirement of the drivers being signed by an appropriate third-party certificate registrar (VeriSign in this case), thus leaving the issue of managing the business of encryption keys to the established so-called "experts".

Part of the process of obtaining a trusted VeriSign cert such as the device driver key involves the company desiring a high-trust certificate of this nature involves signing and complying with a detailed set of procedures describing the physical/organizational processes how to handle and store the signed keys in a very secure and documented "chain of trust".

In the case where the security chain was broken by a (previously) trusted third party, in this case we'll probably find that RealTek is the cause of the issue by not properly following the chain of trust requirements, or how else would a rogue employee be able to sign his malicious driver?

<CoolStoryBro
A decade ago, I was a systems engineer for the internet banking division of a large bank that owned a bunch of other regional banks, and I was a "primary key custodian" (A defined role in the chain of trust requirements), so I was the one who would handle the technical details as far as getting the cert created and installing it on the web banking servers. (Just SSL certs rather than driver signing certs, but at the core they're the exact same thing.)

The amount of procedural rigamorole for handling the certs was complex, and well thought-out. I would create our private key in front of a few handpicked suits from corporate and data security who would observe me as I created our unsigned private key, then I would look away while one of the security people entered a complex password that I was not allowed to know, then I would get the cert signed by VeriSign which would require the security guy to re-enter the password that I did not know, then we would get the certs back, print out several copies, seal them in an envelope, all of us would sign it and take it to a safety deposit box. The security guys were not allowed to have a copy of the unsigned private key, and I was not allowed to know the password to the VeriSign-signed (VeriSigned?) key.

[And it's been 10 years since I worked there, and the certs were only one-year certs (renewed each year going through the same type of process), so don't come try to hold me hostage for any info about the bank, my info expired 9 years ago! :) ]
</CoolStoryBro

So it looks like RealTek may have dropped the ball on their cert handling procedures. Maybe VeriSign was lacking in their process auditing as well. Who knows? (I don't)

But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign, but would be devastating to online commerce as VeriSign has a near monopoly on the certificate registry market, so encryption would suddenly stop working on nearly all online businesses overnight. // But the bright side: All those sites would still work in the morning on Linux, giving it a huge boost! :) /// But on the dark side: All those sites would still work in the morning on Macs as well, giving the idiocracy movement a huge boost as well. :(

Re:Who fault is it? (2, Informative)

10101001 10101001 (732688) | more than 4 years ago | (#32945604)

The flaw that isn't going to be fixed "in the near future" is the "if a shortcut's icon is shown in Windows Explorer, then automatic execution of malicious code may occur" (perhap's this is some sort of buffer overflow in the icon parameter reader?). The best workaround? Disable the display of icons for shortcuts. Attack vectors? WebDAV, USB sticks, and LAN shares mostly. To that end, I'd imagine Microsoft is directly at risk given they likely have multiple rather huge LAN and it's already been demonstrated that at least some hackers are specifically targeting organizations (RealTek, for one). How much do you think Microsoft's source code is worth?

Re:Who fault is it? (5, Informative)

causality (777677) | more than 4 years ago | (#32945756)

But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

Do you have any familiarity whatsoever with this situation?

Windows has an acknowledged flaw/vunlerability related to its handling of .lnk files (shortcuts). That flaw is being exploited to install this malicious driver. The problem has been greatly compounded by the fact that the driver is signed by a previously-trusted private key, but this is not the original flaw. Normally the act of merely plugging in a USB thumbdrive does not immediately install system software such as device drivers. It is that acknowledged .lnk flaw that makes this possible.

If you can install a hardware driver with an exploit, you can also install a worm, rootkit, etc. This attack happens to install a device driver. If Realtek's private key had never been compromised, then instead of installing a malicious device driver, you'd have Windows users plugging in infected USB thumbdrives and immediately becoming members of botnets. The flaw is in the Windows system and its handling of shortcut files.

It is that flaw and only that flaw for which Microsoft is being blamed.

I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign

Why would they do that when Verisign can revoke only this specific Realtek cert? In fact that's exactly what they have done.

Seriously. Did you even bother to read the summary? At all? I'll quote it for you. This is the summary, verbatim:

"Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

Emphasis is mine. Now go clean the egg off your face.

Re:Who fault is it? (0, Offtopic)

KlomDark (6370) | more than 4 years ago | (#32946752)

The "autorun" functionality is both a blessing and a curse, and has been for quite some time. It is not the direct point, although I agree the headline sure tries to make it seem like that's the issue.

Autorun can be, and has been, bitterly debated for a long long time. As an experienced geek, I myself find it quite moronic. However, they also have to support the run-of-the-mill crowd, the non-technical types, where autorun makes sense in a lot of scenarios, as well as the issues that come with it.

However, in this case, they took ample time to complete their "due diligence" and the "requiring signed drivers" solution is a very reasonable way of mitigating the risks.

If autorun was REQUIRED to install virii, works, bad drivers, etc, then I'd be 100% opposed to it. But they've done the best they can, and probably the best anyone's going to come up with to fully minimizing the risk by requiring signed drivers. But there's many other ways to get a clueless user to do one of many things that could have the same effect. If there's a will, there's a way.

But, I guess you'd like to throw the baby out with the bathwater entirely, and just get rid of autorun forever. While that's a clear logical choice to a heads-down geek, in the real world it's an acceptable risk to make driver installation painless for the vast jungle of technomorons out there who just want to plug some shiny toy into their computer and it just works. [And that's unfortunately the lions share of people who by shiny gadgets to plug into their computer.]

Working as intended? (3, Insightful)

goodmanj (234846) | more than 4 years ago | (#32945348)

I'm not Windows expert, but isn't this exactly the way the certificate system is supposed to operate? This sounds like a security success story, not a failure.

Driver needs certificate to work with OS. Driver is found to contain security flaw. Certificate is revoked, OS refuses to recognize driver, security hole is closed. Now driver manufacturer has to clean up their act before their drivers are allowed back in the house.

The headline reads "Microsoft has no plans to patch new flaw", but isn't the certificate revocation at least as good as a patch? More so, because it seals off any *other* undiscovered bugs in the driver? Or am I missing something?

Re:Working as intended? (4, Informative)

causality (777677) | more than 4 years ago | (#32945790)

I'm not Windows expert, but isn't this exactly the way the certificate system is supposed to operate? This sounds like a security success story, not a failure.

Driver needs certificate to work with OS. Driver is found to contain security flaw. Certificate is revoked, OS refuses to recognize driver, security hole is closed. Now driver manufacturer has to clean up their act before their drivers are allowed back in the house.

The headline reads "Microsoft has no plans to patch new flaw", but isn't the certificate revocation at least as good as a patch? More so, because it seals off any *other* undiscovered bugs in the driver? Or am I missing something?

Please see this post [slashdot.org] where I correct a similar false notion. Then, please berate your teachers for failing to transmit basic reading comprehension skills to you. Hint: the signed malicious device driver is incidental and is not the flaw that Microsoft may or may not patch.

Sorry for the tone but I just don't see what part of this is difficult to understand.

Colatteral Damage? (0, Offtopic)

LostCluster (625375) | more than 4 years ago | (#32945394)

What was the main use for the Realtek Semi certificate that's being revoked? I would hate to see a bunch of SmoothWall/Untangle implementations shut down by having their network drivers revoked....

Re:Colatteral Damage? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32945490)

I never trusted Realtek after fighting with their "HD" drivers on a Vista64 install that I was having trouble with.

I started digging around in their driver kit and found a massive number of DLL's, VXD's etc etc, a lot more than what I would expect for a "sound card", but what really looked suspicious to me was that they included VNC in the drivers. Why in the hell would a sound card driver need to install VNC?

Re:Colatteral Damage? (2, Insightful)

xous (1009057) | more than 4 years ago | (#32945710)

Are you serious? How the fuck did this get modded insightful. Why the hell would this affect products based off a Linux kernel that does not verify any drivers. Secondly who would build a serious firewall on Realtek hardware? They are notoriously problematic and unreliable.

DVW (1)

harddriveerror (1623145) | more than 4 years ago | (#32945588)

Damn Vulnerable Windows!

Where did 'no plans to patch' come from? (4, Insightful)

mysidia (191772) | more than 4 years ago | (#32946044)

The article doesn't say it, and at no time was Microsoft reported as saying there were no plans to patch this bug.

Just because you are unaware of them reporting they will release a patch does not mean they have no plan to patch it.

They have offered workarounds and appear to be treating this seriously.

Just because it's the weekend and they haven't told you there will be a patch available monday DOES NOT mean they are ignoring or refusing to work on patching this.

fai7z0rs! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32946094)

Okay... (0)

Anonymous Coward | more than 4 years ago | (#32946610)

...let me get this straight, we have signed drivers that install malware, we have a discovered vulnerability that enables this, we have Microsoft, aware of the problem, but unwilling to do much of anything about it, and we have a 3rd party, Verisign, that has decertified the drivers, which ought to render them null and void, more or less, unless the operator is foolish enough to install them anyway.

Sounds kinda silly, but Verisign is obviously doing what it's supposed to, the operator SHOULD know enough NOT to install suspect drivers, so Microsoft is being a bit slow in acting on the inherent vulnerability in the OS (typical). Now.....how in the world did these drivers get a pass from the original vendor?

Microsoft Security Issues (1)

helix2301 (1105613) | more than 4 years ago | (#32946814)

Microsoft is really getting picked apart security wise last few days. Probably because of Black Hat and Def Con coming up very soon always happens this time of year. Microsoft security and viruses run rapid a bit.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>