Five days after it was disclosed in a highly controversial advisory, a critical vulnerability in Microsoft's Windows XP operating system is being exploited by criminal hackers, researchers from anti-virus provider Sophos said on Tuesday. The flaw in the Windows Help and Support Center was disclosed on Thursday by researcher …
"For individual users, the easiest way to do this is to use the online “Fixit” application Microsoft has provided here. ®"
It would be intresting to know more about what he was tweeting or rather the meat behind the tweet.
Patch or die?
It must be a bit of pain for MS - they passed by XP many years ago but to maintain their corporate image they have to be seen to care about it even though it long ceased to generate revenue.
Is there a culpabilty issue? XP's security snags are responsible for a huge amount of spam and identity theft.
MS made a huge amount of money off it but where does their responsibility end? Where is the point that they can say it is too old to maintain security patches for and gracefully suggest you run their current thing?
They have a rather large share of the market and should that be allowed to bias the answer to the previous questions?
... a "bug tax" so everyone else pays for their goofs.
Does that answer your question? No? Well. Let me offer a quote:
"I used to be convinced that MicroSquish shipped crap becase they simply didn't give a flying fuck as long as the sheep kept buying their shit. Now, I'm convinced that MicroSquish really does ship the best products they are capable of writing, and *that's* tragic." --jcr
Is that culpability? What about all those people that keep on buying clearly substandard software? Discuss.
Free upgrades, then cease support.
The trouble is sluggish Microsoft did not provide Windows 7 in time for the earlier Netbooks, and Vista was too bloated to use, thus they have a whole load more XP machines to support; I have an XP-based net book myself!
I suggest that Microsoft provide free Windows 7 upgrades (yes proper ones, which keep user settings, just-like-like Vista did!) to Windows 7, for all these restricted PCs, then stop supporting XP, period!
RE Patch or die
If by long since ceased to generate revenue you mean a few months since they stopped allowing new systems to be sold with XP, then you might have a point. Fact is they could have kept milking it for awhile yet but chose to try and force an upgrade cycle instead.
There's two problems...
I've had some discussions with people on the Office and Internet Explorer teams within Microsoft. I've even been asked (ten years ago) to give feedback to Microsoft on design changes they were considering for their Office family of products after Office 2000 came out with Word 2000 hardwired to operate in a single document interface style.
The conclusion that I came to was a little different. There are at least some very good, if not brilliant people within Microsoft. The problem seems to be that whenever anyone there has a good idea, it *remains* a good idea even if it was disasterously bad. I don't fully know why this is--is admitting you were wrong really that hard? From the conversations that I've had, this seems to be at least part of the case.
The other problem stems from the way that some software companies use their technologies. If Microsoft puts something out and does come to the conclusion that it's not a good idea or has fatal flaws, chances are pretty good that someone has probably used that technology in a line-of-business application. As M$ has a lot of business customers, some of which are big enough to say they'll go elsewhere and mean it, they're too afraid to break people's applications without a long and difficult sob-story that eventually leads up to a feature being dropped several major releases later. They can't (or rather, won't) make a flawed technology just go away.
@ Patch or die
Their responsibility ends when they have disabled all the insecure crap loaded by the OS. People sometimes say all software has bugs, nothing is truly secure.
That's just a cop-out for developers who choose to spend time adding features but not testing them thoroughly. If MS were struggling to make a buck to survive I could give them some latitude but it's obviously not the case.
If they want the market, want to run on every PC on earth, they need their product to be suitable for those who take computing seriously instead of only catering to kids mesmerized by color gradients while watching YouTube.
When is their support finished? When they finally fix the flaws.
Now you're just teasing.
"[...] a lot of business customers, some of which are big enough to say they'll go elsewhere and mean it [...]"
If only! Please, please, big corp, put your money where your mouth is. Everybody would win. Yes, everybody would, even micros~1. How that works? Easy. The need for interop still exists, so now other big corps will start to badger everyone including micros~1 to get their shit interoperable. Less monoculture is healthier culture overall. Open formats mean the chances of reading your own archives a decade or two down the road vastly improve. And so on.
But they don't. I haven't seen it happen, except since linux became all the rage it proved a useful tool to reverse-extort the extortionate licensing costs down a bit. That's about it.
On April 8, 2014, all Windows XP support, including security updates and security-related hotfixes, will be terminated.
I guess that's when it ends.
Try 'YLMF OS'. Latest Ubuntu, looks like XP. Ma and Pa thank China!
I for one...
...Welcome our new ever helpful malware-dealing overlords!
"It must be a bit of pain for MS - they passed by XP many years ago but to maintain their corporate image they have to be seen to care about it even though it long ceased to generate revenue."
Microsoft are hoist on their own petard. With XP, they spent so much effort on user lockin strategies (using browser > OS integration primarily) that now when it comes time for their poor suffering "customers" to purchase new MS products those customers are somewhat hesitant to do so, just in case a whole bunch of stuff breaks.
It is high time that MS took an evolutionary approach to OS upgrades. Revolutionary "forklift upgrades" may have been acceptable during the '80's and '90s but the industry has moved on from those early days.
That's "hoist *by* their own petard" ... Or "hoise by", if you want to be archaic & petulant. Pet peeve. But then I'm a cantankerous old fart ...
Evolutionary approach? I'd rather they designed stuff.
"It is high time that MS took an evolutionary approach to OS upgrades."
Do you know the difference between designed and evolved?
Is that some sort of moronic reference to the fantastically entertaining creation vs evolution debate that is so beloved by our septic cousins?
Evolution: a process in which something passes by degrees to a different stage.
Revolution: a drastic and far-reaching change in ways of thinking and behaving.
What exactly is your problem?
Be interesting to get the numbers
of systems running Windows-XP in corporate America/Europe/Asia.
AT&T is still using Windows-XP on it's systems in all of it's call centers.
10's of millions of marks. But then again we still have a few NT4 servers, IBM main frames from the 80's and a few other things that sit there humming away on 3 phase power..
We're starting W7 roll out, but have some compatability issues to iron out. We could use Linux, but we'd probebrly go bust with 2 weeks.....
@AC re. numbers and AT&T
And this is a surprise? It's quite clear that Vista did not cut the mustard for corporates, and 8 months is not enough time for an organization to test, plan and implement Windows 7 (believe me, it's not).
And why should AT&T even consider it when the end-of-life for XP support is published as 2014?
I would be more worried by people still with NT4 and 2000 in their organizations.
New attack sites, or newly detected attack sites?
How do we know this flaw wasn't already being exploited in the wild, before the public disclosure? Isn't it only since the advisory informed people of what to look for that the security companies have been able to identify the attack sites?
“I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days.”
Last I heard was that he'd had no response at all from MS in five days, either this was the case, or he was in discussion, it can't have been both.
Now, as for the 60 days, what this means in it won't be ready for the next viable Patch Tuesday, but the one after that, as they were discussing this matter only a couple of days before Patch Tuesday. It's really not that big a deal considering MS' customers asked for patches to be released in this manner and I can easily see a patch taking more than a month to test and finalise. (It often takes this much time in FOSS, unless you count the release of code into the nightly unstables as fixed and tested)
I thought this bug was zero day so it was actively being exploited when disclosed to the public?
And I don't blame the guy for publishing after 5 days. Microsoft have proven that they sit on their arses when bugs are disclosed to them time after time.
"just" 5 days?
He gave them 5 *more* days than they'd already had to find and fix the bug that *they* introduced.
Note carefully: the advisory, proof of concept and suggested fix are for the benefit of Microsoft's customers (me and thee), not Microsoft. Informing Microsoft at all was purely a courtesy.
If you shoot at the messenger, don't expect him to attempt delivery next time.
Tavis did the bad guys a favour, and he wants people to like him for it?
The bottom line is that the main beneficiaries of Tavis's disclosure are the Black Hats who now have a new tool that they didn't have last week.
The simple reality is that the vast majority of vulnerable XP machines aren't going to be protected from this vulnerability until a fix appears in Windows update update anyway, so his early disclosure isn't going to benefit any of the users of those machines. He's just an egotistical shithead who doesn't care about the danger he's putting those people in, as long as he get's "credit" for publishing not just a vulnerability, but sample exploit code, so that the script-kiddies don't even have to figure out how to exploit the vulnerability.
How long were Google working on the patches that they included in the latest Chrome update they pushed out?
Tavis Ormandy tweet: "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days."
So let's see if I understand this correctly. Tavis tried for 5 days to get Microsoft to commit to a fix within 2 months. Microsoft wouldn't do it, Tavis got his panties in a twist, and he posted the vulnerability immediately along with an exploit example.
Thanks you, Tavis, for being a petulant little cock.
You find a bug, you do what you want with it.
MS just has to find the bug themselves if they don't like they way it was handled.
This guy is not their slave staff doing their job for free and then being imposed conditions on how he can use it.
MS (and others) too often only have contempt for bugs and their finders (and their users), fixing them and whenever they see fit.
Yes, publishing sucks, but selling buggy software sucks even more.
If MS's attitude didn't suit him, if he thinks he can get them to listen a bit more carefully next time, why shouldn't he shove them around a bit? Some (more) PCs might get infected this once, but MS might move faster/better next time.
You can't make an omelette without breaking eggs. MS is providing the eggs by the shovel.
Paris because no egg icon.