LIES! help was fixed already, and later fixed again, and later fixed again and later fixed again, so it must be flawless surely

"Nobody is going to use Ormandy's hokey GPLed "patch." Who knows what it is going to affect."

It's opensource you fuckin idiot, look at it yourself.

who's to say it wasn't being exploited beforehand by blackhats, credit or not the fact that microsoft has over a thousand people writing code for them, taking 60 days is ludicrous.

if this affected any flavor of GNU/Linux it would be fixed in 2-5 days TOPS.

and you wonder why Google is ditching microsoft, you don't pay money for a MS license and get the shaft for 60 days.

It's called "discretion," Tom, i.e. acting in a responsible manner. No, I would rather not have this information distributed publicly for as long as possible, especially while a patch is being created. Why? Because only Microsoft has the authority to produce a patch that people will actually deploy. The patch needs to be well tested to ensure that what it fixes doesn't break other systems. Nobody is going to use Ormandy's hokey GPLed "patch." Who knows what it is going to affect.

Meanwhile, an exploit that could have probably escaped attention for a great deal longer, if not forever, is now thrust into the public light. Ormandy even admits that he almost "gave up" on making a working exploit to prove it could be done (and receive attention). Now a spoon-fed working example is provided for every two-bit hacker to add to exploit sites. Even if Microsoft issued a patch immediately, the inner-workings of the exploit are available to target systems that remain unpatched. Thanks Ormandy, real helpful there.

I don't even understand the logic behind Ormandy's actions. He knee-jerk reacts to a rejected 60-day timetable with a 5-day (2 working-day) release? Is this how one acts responsibly? Why not adhere to his original time-table? Would he have done the same thing if Microsoft *did* commit to that timetable? And why is Ormandy defending his actions, and extolling the virtues of "full disclosure" on the Full Disclosure mailing list? He obviously knows he's acting irresponsibly, and preaching it as a means to defend his attention-seeking actions.

@Dave: Tavis Ormandy is a Swiss Google security expert.

most people making comments are sitting on windows, using an admin account, and thinking they have things covered.

http://seclists.org/fulldisclosure/2010/Jun/205

As with many 'exploit's' - there is some mitigation involved. With this one, the code that gets to run, does so with the user privilages that are in use. Thus, if you are running as admin, and many people persist in doing this, then code that tries to run gets to run riot. If you've set the user account so its not running with admin, then although it may run, its affects will generally be more deeply limited.

In future, it would be good if the INQ would cite the outbreak with a comment or statement on the user rights relevance.

The largest portion of security problems continues to stem from users logging on and running as admin, and this point needs consistent and persistent education and nagging to drive it home.

People think hacking is I.Q. Well, this link may explain how gary Mcdumbee' got into Dod Computers. Not Even Hack, Routers Are just plain open to public.

Non-classified Internet Protocol Router Network (NIPRNet) is used to exchange sensitive but unclassified information between "internal" users as well as providing users access to the Internet. NIPRNet is composed of Internet Protocol routers owned by the United States Department of Defense (DOD). It was created by the Defense Information Systems Agency (DISA) to supersede the earlier MILNET.

NIPRNet is, by design, a parallel airgapped analogue to the SIPRNet, providing seamless interoperability for unclassified combat support applications, as well as providing a gateway to the public Internet. While the two networks are not intended to logically intersect, occasionally it is seen as necessary to tunnel the encrypted SIPRNet over NIPRNet (SIPR over NIPR).

SIPRNet and NIPRNet are referred to colloquially as sipper-net and nipper-net (or simply sipper and nipper),

Looks like gary getting blame for intended flaw. So xp Zero Day or just another anomaily, probably can go "hack" into pentagon today, just because any internet computer can link. probably zero day last long time,too.

BTW Did RED'r Know, Jesus IS DEAD?

drashek

I realize there are a lot of people who really like XP and others use it because they have to.How many patches have MS issued for this OS security?
If you don't really need it take a look at Lucid Lynx. First you don't have to spend a penny, unless you don't have a blank cd or a usb flash drive. It is simple to learn and there is a lot of information on the web,probably about your very computer.I I have 2 new computers that came with windows 7 and the only reason I keep windows at all is so I can use Netflix.My XP Asus Eee hasn't booted to XP in a long time, the truth is Linux works so much better.
You can argue all you want about who is right or wrong about this but the problem still exists. This is a chance to do something about it.
I would not go back to Microsoft if they paid me, security and peace of mind are worth a lot to me.I have an old Dell Xps that came with Vista, the sound volume is so low with the windows 7 and windows vista drivers you can't hardly hear a song. But running Linux the volume is close to double the volume. And then there are free office and other great stuff.Yep as far as I am concerned windows is dead.
So you have 2 choices, spend a small fortune and buy a Mac, or install Linux for free. I had a iMAC for a year or so with OS X leopard and I still believe Linux is better than OS X.And there not trying to nickel and dime you to death.

From an earlier Inq story:
http://www.theinquirer.net/inquirer/news/1676668/xp-help-center-security-flaw-leaves-machines-wide

"The person responsible for bringing it to Microsoft's attention however has done one better than the firm, not only providing information on how to circumvent the problem but as a last ditch scenario, a patch. Unlike Microsoft he included the source code meaning desperate administrators can look over what's been done to ensure that nothing iffy is being installed."

So you'd rather not know there was an exploit until MS fixed it? So you'd sit there while your machine ground to a halt and you infected millions of others?
Shoot the messenger and put your fingers in your ears an pretend all is well.
Works for MS I suppose...

Five days is certainly not enough time
to create a patch and ensure it is not
going to cause more problems

While true, it's based on a wrong assumption.

"He said that he revealed the flaw because Microsoft would not commit to fixing the bug in 60 days"

It was only, I assume, that after 5 days of communication with MS where they refused to assure a fix within 60 days that he announced the bug.

So MS where given 60 days, not 5 as you claim.

I can't help but notice a lot of knee jerking among the comments.

Firstly Ormandy does not work for Goole. A Google employee was blogging about Ormandy's irresponsible behaviour in releasing information and code before MS had time to respond to the exploit.

So now people's PC's are being hijacked because of Ormandy's actions. I wonder if he considered the inconvenience he would cause for innocent poeple.

People a bit like the second commenter who think MS can pull out a plaster a stick over the hole that Ormandy found.

At least the third comment had some grounding in reality.

It would be like reading comments to an Apple article on your site - except there would be many more from the ever vocal minority of dumb rich fools.

Stop being so naive. It's one thing to come up with an exploit code demonstration, another to come up with the fix itself. A complex operating system like Windows XP cannot have patches simply rushed through the door without thorough testing. Five days is certainly not enough time to create a patch and ensure it is not going to cause more problems than the 0-day exploit itself, especially with the vast number of machines and configurations that exist.

lets just go ahead and not publish exploits, because Microsoft totally fixes things...

sorry but that logic is quite flawed sir, the more that gets published the faster microsoft is forced to fix an issue, that's how it works, and only then will they react.

its a sad state of affairs and has been for about a decade now, pretty much all microsoft products go down the route of "lock the barn after the horse has bolted".

honestly, its pathetic.

Are these the type of clowns that Google hires? I'm guessing that Ormandy didn't want the credit "stolen" from under him so he went ahead and announced the exploit to the world. What an idiot.