AfterDawn: Tech news

Google engineer criticized for release of XP exploit code

Written by James Delahunty (Google+) @ 11 Jun 2010 22:17 User comments (5)

Google engineer criticized for release of XP exploit code A Google engineer has been targeted with harsh criticism from security researchers everywhere for releasing code to exploit a vulnerability in Microsoft operating systems.
Tavis Ormandy has been criticized for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003.

Critics take issue with Ormandy releasing the code needed to exploit the vulnerability five days after he alerted Microsoft of the problem. Generally, software vendors are alerted to the problem and once a patch is prepared and is available for end users to download and install - and only then - is the vulnerability in all its details made public.

Microsoft Corp. is not known for fixing such issues quickly, and doesn't often release such updates outside of its normal "Patch Tuesday" schedule. Ormandy, according to his own writing afterward, didn't seem convinced that Microsoft would actually fix the problem unless there was exploit code freely available in the wild as motivation to do so.

The probable main reason for Ormandy's actions prompting such a backlash is his link with Google, whose relations with Microsoft as of late have only gotten more sour.

Specifically, the problem is with the Help Center in Windows. The Windows Help Center utilizes a white list of approved web pages to send users for assistance, but a flaw would allow the addition of unsafe URLs to the white list.

Previous Next  

5 user comments

111.6.2010 23:16

the sooner you get it out the sooner soemone will find a fix........oh and if YOU don;t get it out others will and it be from the other end of the spectrum....

212.6.2010 0:04

Most microsoft systems automatically check for updates several times a day...why shouldn't microsoft stay on top of things? They should have had the fix as a critical update within 24 hours.

312.6.2010 0:24

Originally posted by KillerBug:
Most microsoft systems automatically check for updates several times a day...why shouldn't microsoft stay on top of things? They should have had the fix as a critical update within 24 hours.
I don't think it's really too bad. I mean, how often does anybody even use the help center? I don't think I know of anybody who would use it very often, not nearly often enough to go out of the normal patch cycle.

Microsoft does occasionally release an out of schedule patch if it is serious enough to warrant it though. I think the actual issue with this release of the exploit code is the affiliation which Google, that has its own rival OS software and has recently taken a few steps against the use of Windows by Google employees etc. Other than that, even the Flash problems fixed in 10.1 are far worse than the help center bug I would imagine.

I reckon that delays for Microsoft releasing any patch are more to do with testing afterwards. There has been a few situations where Microsoft updates have caused BSODs and other undesirable consequences, usually due to malware or defective third party drivers, so I think there's a lot more to take into account in patch preparation considering the mass chaos that would ensue if Microsoft pushed out a dodgy update to millions of comps with Automatic Updates doing the work, that resulted in making the computers unstable etc.

412.6.2010 2:47

I don't think Chrome can claim to compete with windows...it does not even have the market share of Linux or OSX. Plus, there is no software for it other than a few java & flash apps that work on everything but apple mobile devices.

Microsoft pushes bad updates all the time; most updates you see for XP are version 2 or 3 of the patch because the first 1 or 2 were totaly broken. If anything, their scheduling probably makes them rush on releasing the ones that are not yet tested.

As for "If it is warranted", there has been a massive security hole in every version of windows since 2000, and it is in both x86 and x64 versions. Microsoft refuses to fix it, and in fact they have made the problem worse by assigning more windows services to the svchost.exe program. This massive bug is going on ten years old, and microsoft has yet to even address it. Given the fact that this has been common knowledge for at least 9 years, you might think they would fix the problem...but they don't.

512.6.2010 11:14

Originally posted by KillerBug:
I don't think Chrome can claim to compete with windows...it does not even have the market share of Linux or OSX. Plus, there is no software for it other than a few java & flash apps that work on everything but apple mobile devices.

Microsoft pushes bad updates all the time; most updates you see for XP are version 2 or 3 of the patch because the first 1 or 2 were totaly broken. If anything, their scheduling probably makes them rush on releasing the ones that are not yet tested.

As for "If it is warranted", there has been a massive security hole in every version of windows since 2000, and it is in both x86 and x64 versions. Microsoft refuses to fix it, and in fact they have made the problem worse by assigning more windows services to the svchost.exe program. This massive bug is going on ten years old, and microsoft has yet to even address it. Given the fact that this has been common knowledge for at least 9 years, you might think they would fix the problem...but they don't.
Chrome doesn't compete much with Windows _now_ no, and as far as its project goals go, its features won't ever completely overlap with those of Windows either... but... it does compete with Windows in certain markets, or at least it "will" if it works out how Google intends, particularly in the market for netbook-like devices that heavily use cloud applications.

As for Windows updates, I have yet to personally get any problem from a Windows update but I did have several PCs recently that ended up unbootable because of how a Windows Update clashed with malware using rootkit techniques to hide itself. That, and badly written third party drivers, are the two main reasons for Windows updates resulting in bad things, like an unbootable system.

The big problem for Windows, particularly XP, is the fact that unless you run everything with admin rights, you are bound to run into problems running a lot of _every day_ software. Indeed, XP itself defaults to admin rights for local user accounts.

The result of that is millions upon millions of people running everything with access rights that allow it to access and write to system files and potentially cause a lot of problems... and most software doesn't really need this level of access to achieve its tasks but the fact that when you take it away, it doesn't work properly, confirms that its how the software is written, not particularly Windows.

Now Microsoft could potentially attempt to force software authors to write software that works more often with less access rights, but there's more or less no point now with Windows XP being phased out for 7 in new OEM PCs etc which are largely bought by casual home PC users - not to mention that there's nothing could be done about the millions of software items written for Windows anyway.

With Windows Vista and 7, this isn't as much of a problem but the trade off for a lot of users is annoying nags from user account control. Of course, if you know what you are doing, you don't need to have these prompts switched on at all and you can force the OS to default to admin for your accounts, but the nags aren't for the PC user of decades, they are for casual home PC users who don't know the first thing about how the operating system even works.

When you take Windows market share in the home PC market, the type of users common to Windows (Windows is _the_ operating system of the casual home PC user... arguably the most vulnerable user), the unbelievable amount of third party devices that are made specifically for Windows and require running device drivers, the closed-source nature of NT etc. you are simply bound to run into security problems.

When a large portion of NT source code leaked a few years ago, it was followed by some of the worst exploits being available for Windows XP and 2000 in their lifetimes, that's where the protected source becomes a problem because when a lot of security was assumed based on the fact that only authorized parties could view the source, when that source gets out, you are immediately in trouble.

Largely due to the NT leak, you simply could not run Windows XP with no service pack, or even with SP1, without eventually becoming infected by another Windows machine scanning over your ISP if your computer is connected directly to the net and not behind any kind of firewall protection.

However, if you run a Windows XP installation with SP3 and all updates installed, which is the most common XP installation arguably at the moment due to automatic updating, you could run it like that for as long as you want and it will be fine and it will look after itself if default settings are on. However, as said before, when the biggest user is casual home PC users you WILL run into trouble.

Where is criminal investment going in this area? It has been targeted primarily at XP for nearly 10 years now because it has many vulnerable users. Install rogue anti-virus on 100,000 Windows XP PCs (which is delivered usually by either the user installing it directly possibly by giving into malvertisements, or it is installed by another piece of malware like a conficker variant which also made its way to the operating system due to the user running something dangerous with admin privileges) and you will probably make a lot of money and gain a lot of sensitive usable personal information on people.

For that reason, it is _the_ target, that is simply going to be the case for any cyber criminal looking to make money and there are a LOT of them. Microsoft and many security software authors are in an all out war to keep up with malware authors because they keep finding new ways to keep their software installed and hidden on a victims computer, and its gone to the point with rootkits where they get in so deep that attempted removal by some security software can actually cause serious problems but again, in almost every case, these malware items are installed on a PC because the user installed them. Malware authors target people's fears about their security, as you have seen time and time again, it's like a giant social engineering attack on the millions-strong Windows users globally.

Even beyond malware, there's another problem. Because of the large amount of devices and software available for Windows, which doesn't require any kind of approval process, there are also terrible drivers that people install every day that cause havoc. Remember the Error Reporting Service, particularly the "Windows has recovered from a serious error" message on boot? It sends a crash dump to Microsoft so that it can attempt to find a probable cause for the crash, and since this happens a lot when you take into account all of the Internet-connected XP machines in particular, Microsoft has stats on the largest causes.

Over 70% last time I read stats, were confirmed to be the cause of third party device drivers doing something in kernelmode they are not supposed to do. This results in BSOD either immediately or eventually based on what actually went wrong. Another 15% could not be confirmed because the crash dump retrieved by Microsoft was unable to give any indication about what happened, and its safe to assume that at least 70% of those are also due to device drivers because of their potential to screw up kernel memory.

So that's already a giant amount of serious Windows problems being associated with third party device drivers... and that leaves out hardware failures (particularly bad memory and bad HDD which are the most common hardware problems) AND the all out assault on Windows security by pretty much every single malware manufacturer on the planet. But I guess that's the price of having an operating system that is supposed to be open to all kinds of software and devices as long as somebody is willing to write them.

Now, as for the massive security hole you were talking about, do you have more info on it because I'm not sure which you are referring to? I will say though that svchost.exe is an essential component of Windows to host dll-based services, and of course like all other essential Windows components, it is always mimicked and exploited by malware to hide from users but that's not surprising in the slightest, if malware hides itself as a service it probably will somehow use svchost to do so.

Anyway, I don't disagree that Windows is an unsafe operating system to use for a lot of reasons, but I think the reasons are often discarded and the "Windows is just shit and its all Microsoft's fault" myth is used instead, when really there are major reasons for Windows stability and security issues that can't exactly be blamed on Windows alone.

Sorry for length of reply ;-)

Comments have been disabled for this article.

News archive