Google Researcher Issues How-To On Attacking XP 348
theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."
I Don't Think Zero-Day Means What You Think (Score:5, Informative)
exploits a zero-day vulnerability
Zero-Day [wikipedia.org] would mean that Microsoft had zero days to fix it or no time at all to patch the system that had the security vulnerability between the time they release the software to the time the bug goes public. By that definition this would be best described as a "five day exploit" or more in fact if they knew about it before Ormandy's notice.
Re:Zero days notice (Score:5, Informative)
I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.
No, it's the time between public disclosure of the vulnerability and the time when the exploit is released. When you hear about it or when you see it is quite irrelevant.
It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.
Yes, as demonstrated by your comment. Zero-day cracks are cracks which come out on the release date, and Zero-day exploits are exploits which exist in the wild (whether you have detected them or not) the same day as the disclosure.
Re:They did no evil (Score:1, Informative)
Spot on. Here's the problem with the majority of the comments I see now: they didn't even bother to RTFA. Your comment pretty much sums it up.
Note that the workaround (disabling the protocol handler) is preferred, as the hotfix is not sufficient (see comments on the article itself).
Re:I Don't Think Zero-Day Means What You Think (Score:4, Informative)
Dictionary.com defines zero-day as an unpatched bug. When I went to OneLook, half the sites that had definitions listed zero-day as unknown-to-provider bugs, half as unpatched.
Seems there's some ambiguity in the term.
8 yro Linux Kernel exploit (Score:5, Informative)
Um sure....
Bug exposes eight years of Linux kernel [theregister.co.uk]
Re:Negative. (Score:5, Informative)
I submitted a security issue in how one of their management products generates a private key for signing internally distributed programs and other things. I gave them all the details, it took a while, but they patched it and included the fix in the release of the 2010 System Center Essentials (a mishmash of their pricier more specific products).
Full disclosure is of course, the only way to go when you don't get a response. If they don't treat security as a serious matter, then don't waste your breath. But complicated bugs can be difficult to fix, and fixing those bugs requires not insignificant regression testing.
Re:Grow up (Score:5, Informative)
You might want to pick a subject you know a little about before pontificating. Tavis Ormandy has reported dozens of critical security vulnerabilities to Microsoft and others. Just search for "Tavis Ormandy Windows kernel vulnerability" to get some of his top finds. And in these previous cases you can compare the report and disclosure dates to see that he's waited several months, or in some cases more than a year for the patch release. If you actually read Tavis' disclosure and note the trivial nature of this bug, you'll see that he just got sick of waiting on Microsoft's extremely long fix pipeline, and chose this as an opportunity to push back.
Now, I'm not saying I agree with Tavis' actions here, but the actual situation bears no resemblance to your uninformed framing.
Re:Missing from the summary (Score:2, Informative)
Also missing from the summary is that if you switched from IE6 to something else than IE, you're safe.
Re:Industry Standard (Score:3, Informative)
"People don't want bug fixes, they want new features and bells and whistles instead."
I remember that interview: Bill Gates was asserting that people won't pay for bug fixes, but only for new bells and whistles. And he's right! People expect software with no bugs and they expect that the inevitable bugs will be fixed for free. The big problem, of course, is that Microsoft put new bells and whistles at a higher priority than bug fixes since they get paid for the former but do the latter for free.
Re:Negative. (Score:3, Informative)
Not true, he says in his advisory that Microsoft acknowledged receipt the same day.
They didn't do their own advisory within 5 days (actually 4 1/2), which is perhaps what made him think it was the right thing to go public. Ormandy himself has begun to realize that he handled it badly.
Bear in mind that he reported it the Saturday before an especially heavy Patch Tuesday. It's reasonable to presume that people at the MSRC were busy.
And if anyone thinks Google is involved they're obviously wrong. I'm sure the security people at Microsoft know that Ormandy thought he was acting in a private capacity. This was a poor decision on his part, and he can't do this sort of thing privately without it impacting on his employer. I'm sure they were pissed at him.
Would of? What does that mean? (Score:4, Informative)
"Would've" might sound like "would of", but as the ve indicate, it is a contraction for WOULD HAVE.
More importantly, it makes sense for someone TO HAVE DONE something.
It does not make sense for someone TO OF DONE something.
Re:8 yro Linux Kernel exploit (Score:3, Informative)
Thanks for the linux bug reference. I noticed a couple of things.
Both the linux kernel null pointer dereference bug & the malformed character escape bug we're discussing today were reported by the same guy: Tavis Ormandy. I think that this refutes the claim that a few people are making that today's incident is just an attempt by google to sabotage microsoft. It seems to me like this guy is disclosing vulnerabilities wherever he finds them and letting the chips fall where they may.
Also, the linux bug is one that can allow local privilege escallation. It's bad & needed to be fixed, but an attacker would have to have access to the system first. The windows bug is one that will allow remote code execution; that's why we have botnets. I'm just sayin'