Google Researcher Issues How-To On Attacking XP

theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."

Just turn it off

[GaryOlson]

...leverage a flaw in Windows' Help and Support Center...

This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.

Re:I Don't Think Zero-Day Means What You Think

[Jurily]

Thank you so much. I'm sick and tired of every fucking bug labeled as "zero-day". Especially considering the fact that the bug itself may has been around for years.

Microsoft's Official Response

[eldavojohn]

They were not happy [technet.com] and said

"Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk. One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.

Re:I Don't Think Zero-Day Means What You Think

[ircmaxell]

I've always understood (I know the "definition", but it seems like a lot of people use mine) a Zero-Day as an attack that requires no action by the victim. So a flaw in Apache that allowed a remote user to execute code with a malformed HTTP request would by very definition be a Zero-Day. I know that's not the "official" definition, but based on what a lot of people call a Zero-Day, it seems that I'm not the only one with that idea...

Industry Standard

[protektor]

I thought there was a big fuss a few years back about how vendors didn't respond to researchers and how they took forever to fix problems with close sourced software. So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.

Seem like this is just standard timing since vendors have gotten in the habit of ignoring researchers and not spending the time and resources to fix problems that they should have tested for in the beginning and most of the time don't want to bother fixing. Historically companies have not wanted to spend manpower and money required to fix program bugs. They more want to fix them when they get around to having the free time a few months later to fix the bugs. After all bug fixes don't make them any money. If I remember correctly there was a quote from Microsoft saying that exact thing. "People don't want bug fixes, they want new features and bells and whistles instead." So if Microsoft really feels that way then this shouldn't bother them at all, since people don't care about having bugs fixed.

The quote was from German weekly magazine FOCUS (nr.43, October 23,1995, pages 206-212). Bill Gates was being interviewed when he made statements to that effect.

If you treat program bugs as a PR issue, then don't be surprised when people use PR against you for bugs you don't want to be bothered to fixed, in a timely manner historically.

They did no evil

[keirre23hu]

Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).

Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.

Weird

[ledow]

It's a bit of a crappy and unreliable exploit to say the least.

For some reason, my up-to-date Opera on XP SP2 just executes VideoLAN to load a (non-existent) JPG instead of the supposed WMP execution -> vulnerability trick that IE is vulnerable to. VLC then just errors out because the hcp:// protocol is obviously nonsense to it. I assume my copy of VLC is somehow associated with opening unknown protocols in Opera.

And in the IE case, WMP executes and then ZoneAlarm (ancient version) pops up and asks if I want Windows Media Player to access the local network. Twice. If I Deny, nothing happens. If I allow (both times), Windows Help and Support Center opens and then another ZA popup asks me to give permission for that too (and that says "Internet" rather than local, which would be blocked by default). If I allow that too, I get a copy of Windows Help and Support Center with a search for the nonsense page and not much else. "Computer Information for \\eval(unescape('Run("calc.exe")'))" is what's literally written inside it, and calc doesn't execute.

My IE, WMP, ZA and Windows Updates on this machine are NOT up to date by any means. The only thing that's up-to-date is Opera. Nothing untoward would have happened under normal usage. So it seems of dubious use at best, it's not a particular killer of a vulnerability.

However, the technical analysis was quite interesting and the problem basically stems from shitty programming at every level - not checking return values that indicate failure, continuing on and then passing arbitrary (and unescaped) strings to other functions, a cross-site scripting error within the Windows Help internals (due to insufficient escaping of data), allowing script execution to happen again on dynamically-generated script code because someone tagged "defer" (a Microsoft-only invention) to a script tag, and finally a way to avoid a security-related prompt on versions of IE, Firefox and Chrome by hiding the very same code inside an iFrame / Object which executes WMP. It's like a catalogue of errors, some of which have been previously reported and well-known for ages. It's just crap all the way down to actual execution of anything you like using wscript. And that's present in XP - a 9-year-old operating system with millions of deployments, Server 2003 and probably a lot of others using non-ancient version of IE, WMP, etc.

Stop whinging Microsoft, and fix this crap. That's been in the OS that millions of people used for **years**, after all your patching and service packs, and you never even spotted it, even when you were the only people with the code to the damn thing. I'm not saying it's easy or you should find everything, but FFS - the problems there just show crappy programming and patchwork all the way to the OS core. That "defer" thing just REEKS of someone saying "But I need a way to bodge this...". Whether it's responsible disclosure or not - fix it first, whinge about their methods later. Where's my response saying when you'll fix it? Where's the estimated patch release date? Where's the hotfix? When you've put those out, you can whinge about them being irresponsible with security. And then they can say "But we're one of your main competitors!" and laugh at you, the same way you would if one of your researchers found a major bug in Google's websites / OS / browser.

didn't even give 5 days...

[kervin]

So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.

Except he doesn't give 5 days. This guy minimizes the amount of time Microsoft has to respond to the issue while trying to stay in the 5 day window.

1. First he could have given more than 5 days, ie. at least a week. He chooses 5 days.
2. He chooses the worst possible day of the entire week to report the bug. Saturday. Even Sunday would have been better, since have the weekend is gone. Also it would be easier to get a bigger emergency team on this the following day.
3. After all this he reports the bug, first thing on the 5 day!

This just shows how dirty the IT fighting has become ( not that it was ever civil ). And as many have pointed out, even if you don't like Microsoft this affects the XP and 2003 Server users the most.

he got a response

[kervin]

Sorry, but did you read the article? He got an immediate response.

This guy is clearly trying to meet the 5 day minimum only. Who reports a bug on a Saturday, then goes public first thing the morning of the 5th day?

Does Google Have a Double Standard on Full Disclosure? [threatpost.com]

Re:Do no evil

[Cheburator-2]

I don't think his managers approved his conduct. He doesn't believe in responsible disclosure, but it seems like Google as a company do. So I wouldn't be surprised if apology or termination would follow soon.

Re:They did no evil

[n0-0p]

Actually, Tavis specifically suggested disabling the hcp: protocol handler. His statement on the hotfix was:

In the unlikely event that you heavily rely on the use of hcp://, I have
created an unofficial (temporary) hotfix. You may use it under the terms of
the GNU General Public License, version 2 or later. Of course, you should only
use it as a last resort, carefully test the patch and make sure you understand
what it does (full source code is included). It may be necessary to modify it
to fit your needs.

MS are the ones focusing on the hotfix and claiming it's flawed without providing an explanation. MS are also the ones desperately trying to frame this as Google, when it was Tavis operating independently on his own time.

I'm not saying I agree with what Tavis did, but MS' shady response certainly isn't making me less inclined to side with Tavis.

Re:Microsoft's Official Response

[Abcd1234]

No, it's the "look, seriously, give me some time before you tell everyone how to pick our locks" approach. 5 days is a *ridiculously* short time in which to expect MS to turn around a fix, doubly so given they've been burned in the past by fixes hosing obscure configurations.

What's the "right" number? I don't know... 15 days is probably more reasonable, but it really depends on the scope of the issue. But 5 days is *clearly* too short... well, at least to anyone with half a brain and experience in the software industry (which, evidentally, doesn't describe many of the commentors in this particular article).

Re:Negative.

[dave562]

Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.

That's what he was complaining about, and I think it's a legitimate complaint.

He did get a response. He didn't get a resolution (in the time frame he wanted one in).

Lets put a not so hypothetical situation out there to consider. You're working your ass off getting a project out the door, coding your little heart out (in this case, Microsoft was in the final hours of their "patch Tuesday" process). A vendor of yours comes to you on Friday night with a NEW problem that they think is a big deal. You acknowledge their complaint, file it away and go back to working on what you were working on. Two business days later, you learn that your vendor took out ads in every major publication and website touting what an idiot you are for not "responding" to him, even though you did.

The person who released the vulnerability needs to grow up. Just because he might be a competent security researcher doesn't seem to translate to him being able to act like an adult, and to treat others with respect. Don't even bother to say, "Well Microsoft doesn't treat other with respect." because as any second grader knows, two wrongs don't make a right (but three lefts do). What adult expects another grown adult (or group of adults) to drop everything they're working on to respond to what one person believes to be a huge problem? If everyone dropped everything every time something "important" popped up, nothing would ever get done.

The fact that the guy works at Google shows that he comes from a different head space. Google lives in perpetual beta and their apps are often times "temporarily unavailable". We've all seen what happens when Microsoft release a bad patch. Tens if not hundreds of millions of people are running Windows XP. The last "bad patch" Microsoft pushed out BSOD'd a bunch of compromised computers. The patch worked fine on clean computers, but Microsoft still caught a flak for that one, as if they should be required to test their patches against every known malware out there.

Why is the guy even messing with XP anymore anyway? That is two generations ago. Why didn't he hit Windows 7 if he wants to make the point that Microsoft is insecure and slow to respond to critical issues? It could be completely possible that the bug he found in XP doesn't even exist in Windows 7 (but I wouldn't hold my breath on that one). Maybe Microsoft researchers should focus on breaking Android 1.5 so that they can generate a bunch of bad PR for Google and point out how inept they are when it comes to developing mobile phones?