Microsoft customer warning: Bad exploit in Windows

It’s interesting, I was just talking with Hitachi’s blogger and CTO about what to do in a crisis. Here’s one thing. Warn your customers. That’s what I’m doing here. We’re seeing a bad exploit being reported on blogs and other places. I’m off to check with Stephen Toulouse of the security response center here at Microsoft (I’m a bit at a disadvantage cause I’m blogging from Hitachi’s Storage DataSystems Headquarters — I’m heading back to Microsoft’s offices so I can get access to Microsoft’s internal information sharing systems). The security response center is listening to email sent to secure@microsoft.com — if you have a new security problem, that’s a good place to send email to. Microsoft’s security Web site is here. If you need support with one of our products, please contact support here.

Update: the Security Response Center is working on this. They have a blog, but haven’t posted about this issue yet.

I have a video interview with Stephen on Channel 9, in case you want to know a little more. Here’s a tour of the response center’s workers so you can get a little better idea of the people who are working hard to fix this problem.

Update 2: the Security Response Center has posted a security advisory on this issue.

Comments

  1. Do Hitachi let strangers use their corporate network for internet access?? If so then they need to sort out their internal network policy and worry about patches after that

  2. Do Hitachi let strangers use their corporate network for internet access?? If so then they need to sort out their internal network policy and worry about patches after that

  3. what to do in a crisis…Warn your customers.

    Considering it’s MFST, hourly updates then. ;)

    But wait a second here, warn your customers? You punish security groups that do the same thing BEFORE a patch. You warn only AFTER a patch is available. At least that is your company policy. Whole raft of guidelines on how to report a security vulnerability to Microsoft. Warn your customers? Exactly WHEN do you do that? When it first hits the blogs?

    Now say you were a security company like maybe Hexview or someone like Michal Zalewski, instead of a clueless blogger, why MFST’d punish you to high hell for warning, out of turn, and deny that they even got the emails/reports. They’d go “not disclosed responsibly, potentially putting computer users at risk.”

  4. what to do in a crisis…Warn your customers.

    Considering it’s MFST, hourly updates then. ;)

    But wait a second here, warn your customers? You punish security groups that do the same thing BEFORE a patch. You warn only AFTER a patch is available. At least that is your company policy. Whole raft of guidelines on how to report a security vulnerability to Microsoft. Warn your customers? Exactly WHEN do you do that? When it first hits the blogs?

    Now say you were a security company like maybe Hexview or someone like Michal Zalewski, instead of a clueless blogger, why MFST’d punish you to high hell for warning, out of turn, and deny that they even got the emails/reports. They’d go “not disclosed responsibly, potentially putting computer users at risk.”

  5. Some day, some day Christopher, you’ll realise that MFST is actually MSFT. At least then you’ll gain some limited credibility when everyone else realises what you are blabbing about is in line with what they think you are blabbing about. As opposed to being known as a know-it-all troll with no deliverables to back up your rants. Each comment dilutes the essence of the previous – maybe a year or so ago you could have been taken seriously within a soundbite, but now you can’t even get the company symbol right. Lay off the meds dude :-)

  6. Some day, some day Christopher, you’ll realise that MFST is actually MSFT. At least then you’ll gain some limited credibility when everyone else realises what you are blabbing about is in line with what they think you are blabbing about. As opposed to being known as a know-it-all troll with no deliverables to back up your rants. Each comment dilutes the essence of the previous – maybe a year or so ago you could have been taken seriously within a soundbite, but now you can’t even get the company symbol right. Lay off the meds dude :-)

  7. Christopher: it’s out in the wild. I’d rather it not be, but because the exploit is out there I want to let customers know what the latest info is. You did notice that I pointed to where the official sources of info are, right? I have not communicated any new information other than to tell you what the latest news is. More to come, I’m sure.

  8. Christopher: it’s out in the wild. I’d rather it not be, but because the exploit is out there I want to let customers know what the latest info is. You did notice that I pointed to where the official sources of info are, right? I have not communicated any new information other than to tell you what the latest news is. More to come, I’m sure.

  9. Kristy, Providing access to the Internet for visitors is quite common, in my experience. Companies setup a separate virtual LAN/ wireless LAN to isolate visitors from internal resources.

  10. Kristy, Providing access to the Internet for visitors is quite common, in my experience. Companies setup a separate virtual LAN/ wireless LAN to isolate visitors from internal resources.

  11. haven’t posted about this issue yet…

    Then you should keep quiet, and not warn anyone, at least if you want to follow your own companies policies. So it’s wrong for security companies (even if you parse it as ‘news’), but ok for you? Even CERT gives the vendor 45 days, before reporting such “news”. Just interesting however, that it’s somehow ok for you (and bloggers), but wrong for everyone else. Not saying you did anything wrong, not in my book, but by your own company’s security vulnerability reporting policies. Irony, no? ;)

    Security Company – Warn! News! This event happened! We can replicate! – “Out-of-turn, irresponsible. Not disclosed responsibly.”

    Scoble – Warn! News! This event happened!, Bloggers can replicate! – “I (just) want to let customers know what the latest info is. And hey I pointed to the right websites”

    And Smoi, I guess the concept of satire and irony is wholly lost on you. Sigh. But I will symbolize the ‘correct’ way for your sake. The joke has run it’s course anyways.

    Does no one understand irony anymore?

  12. haven’t posted about this issue yet…

    Then you should keep quiet, and not warn anyone, at least if you want to follow your own companies policies. So it’s wrong for security companies (even if you parse it as ‘news’), but ok for you? Even CERT gives the vendor 45 days, before reporting such “news”. Just interesting however, that it’s somehow ok for you (and bloggers), but wrong for everyone else. Not saying you did anything wrong, not in my book, but by your own company’s security vulnerability reporting policies. Irony, no? ;)

    Security Company – Warn! News! This event happened! We can replicate! – “Out-of-turn, irresponsible. Not disclosed responsibly.”

    Scoble – Warn! News! This event happened!, Bloggers can replicate! – “I (just) want to let customers know what the latest info is. And hey I pointed to the right websites”

    And Smoi, I guess the concept of satire and irony is wholly lost on you. Sigh. But I will symbolize the ‘correct’ way for your sake. The joke has run it’s course anyways.

    Does no one understand irony anymore?

  13. Christopher, satire and irony is by no means lost on me. I grew up in the UK – we invented it, y’know? I should caveat that by saying that CONSTRUCTIVE and INTELLIGENT satire and irony is not lost. It’s the dumb, belligerent and petty stuff that falls through the gap. With that in mind, I still don’t get what you’re trying to say by your allegedly intentional dyslexia. That aside – the remainder of my post still stands.

    Irony is only evident when used intelligently. Otherwise your comments are scanned, and dismissed with the word “prick” in mind.

  14. Christopher, satire and irony is by no means lost on me. I grew up in the UK – we invented it, y’know? I should caveat that by saying that CONSTRUCTIVE and INTELLIGENT satire and irony is not lost. It’s the dumb, belligerent and petty stuff that falls through the gap. With that in mind, I still don’t get what you’re trying to say by your allegedly intentional dyslexia. That aside – the remainder of my post still stands.

    Irony is only evident when used intelligently. Otherwise your comments are scanned, and dismissed with the word “prick” in mind.

  15. Christopher: watch the video to see what the difference is between responsible and unresponsible disclosure are. I have not disclosed anything here that isn’t already public. That’s responsible. What’s unresponsible would be explaining an exploit for the first time without giving security researchers first shot at it.

    But, thanks for continuing your series of “Scoble is wrong” posts.

  16. Christopher: watch the video to see what the difference is between responsible and unresponsible disclosure are. I have not disclosed anything here that isn’t already public. That’s responsible. What’s unresponsible would be explaining an exploit for the first time without giving security researchers first shot at it.

    But, thanks for continuing your series of “Scoble is wrong” posts.

  17. I got hit with it yesterday on a clickthrough of a piece of spam, assuming my system was secure enough to not get hit. My mistake, as I had been running as admin to debug asp.net code (although 2.0 allows me to run as limited but I was too lazy to change it) and am running a recently-expired copy of McAfee, but it sounds like it wouldn’t have mattered. It freaked me out how quickly it worked and that it installed that much software. Sets the homepage to a spyware page, installs spyware + an onLoad bootstrap AND activates an ActiveDesktop policy that disables your ability to set the wallpaper. Took me about half an hour to fix everything and then set my system back to a restore point 12 hours before infection to be safe.
    Nasty, nasty stuff

  18. I got hit with it yesterday on a clickthrough of a piece of spam, assuming my system was secure enough to not get hit. My mistake, as I had been running as admin to debug asp.net code (although 2.0 allows me to run as limited but I was too lazy to change it) and am running a recently-expired copy of McAfee, but it sounds like it wouldn’t have mattered. It freaked me out how quickly it worked and that it installed that much software. Sets the homepage to a spyware page, installs spyware + an onLoad bootstrap AND activates an ActiveDesktop policy that disables your ability to set the wallpaper. Took me about half an hour to fix everything and then set my system back to a restore point 12 hours before infection to be safe.
    Nasty, nasty stuff

  19. Robert – this is the first I’ve seen of this new threat, and it makes me EXTREMELY happy to see it coming here. Take that as a definite sign that you are reaching success in your objective to put a face on a huge corporation.

  20. Robert – this is the first I’ve seen of this new threat, and it makes me EXTREMELY happy to see it coming here. Take that as a definite sign that you are reaching success in your objective to put a face on a huge corporation.

  21. Larry

    Here Here! Robert is a quick one

    You should have seen how fast Robert addressed this issue.

    Yes, I did learn a lot at today’s lunch. He was quick to listen (his cell is connected to him) and he was quick to respond.

    We had JUST talked about this with Shel Israel on how to handle crisis a few minutes before this hit, and watching the man practice what he preached was quite amazing.

    He got the word out, signaled teams to correct the issue, and addressed you all…all between and after a few pieces of sushi.

  22. Larry

    Here Here! Robert is a quick one

    You should have seen how fast Robert addressed this issue.

    Yes, I did learn a lot at today’s lunch. He was quick to listen (his cell is connected to him) and he was quick to respond.

    We had JUST talked about this with Shel Israel on how to handle crisis a few minutes before this hit, and watching the man practice what he preached was quite amazing.

    He got the word out, signaled teams to correct the issue, and addressed you all…all between and after a few pieces of sushi.

  23. Jeremiah: yeah, I watch Memeorandum multiple times a day, just to see what’s happening. This one went to the top of Memeorandum while we were meeting.

  24. Your definition of “responsible” and “unresponsible” by saying it’s already news therefore ‘ok’, doesn’t wash with your own company. Tons of security companies that have reported on things already in the public domain that have had their wings clipped.

    Crying Chicken Little (hey, it’s news) before your own people swat at it or even have a chance to blog about it, falls under “unresponsible”. Imagine if all the blogger reports are WRONG, what then. Sounding a false alarm?

    (PS – to be Smoi boorishly nit-picky, the word is actually “irresponsible”. But I got what you were trying to say, and didn’t lay down a mile of snark)

    The difference between what is responsible and what is not is determined by exactly how embarrassing it becomes for said company. If a vendor does NOT fix something, and has no inclination to do so, yet has been informed, then it is actually responsible to go over their heads. Delicate balance, CERT plays it best.

  25. Your definition of “responsible” and “unresponsible” by saying it’s already news therefore ‘ok’, doesn’t wash with your own company. Tons of security companies that have reported on things already in the public domain that have had their wings clipped.

    Crying Chicken Little (hey, it’s news) before your own people swat at it or even have a chance to blog about it, falls under “unresponsible”. Imagine if all the blogger reports are WRONG, what then. Sounding a false alarm?

    (PS – to be Smoi boorishly nit-picky, the word is actually “irresponsible”. But I got what you were trying to say, and didn’t lay down a mile of snark)

    The difference between what is responsible and what is not is determined by exactly how embarrassing it becomes for said company. If a vendor does NOT fix something, and has no inclination to do so, yet has been informed, then it is actually responsible to go over their heads. Delicate balance, CERT plays it best.

  26. But, thanks for continuing your series of “Scoble is wrong” posts.

    Ahhh, you make it easy. ;) But actually I don’t think you are ‘wrong’ yourself, in so much that you are wrong in terms of your own company’s reporting policies.

    Plus this could be something that impacts a minor minor few, and you have made it into a worldwide PR crisis, before they have really dug in. Not saying cover-up, just saying don’t overblow either. But said my piece. End Prog.

  27. But, thanks for continuing your series of “Scoble is wrong” posts.

    Ahhh, you make it easy. ;) But actually I don’t think you are ‘wrong’ yourself, in so much that you are wrong in terms of your own company’s reporting policies.

    Plus this could be something that impacts a minor minor few, and you have made it into a worldwide PR crisis, before they have really dug in. Not saying cover-up, just saying don’t overblow either. But said my piece. End Prog.

  28. Linking? You cop-out with that? After a title with: “Microsoft customer warning: Bad exploit in Windows”

    Heh. But yeah, as you say, whatever.

  29. Linking? You cop-out with that? After a title with: “Microsoft customer warning: Bad exploit in Windows”

    Heh. But yeah, as you say, whatever.

  30. On the top of Memeorandum, is not a worldwide PR crisis. A post on the unofficial ‘third man’ Microsoftspokesperson blog is. :) (Hey, saying something nice).

  31. On the top of Memeorandum, is not a worldwide PR crisis. A post on the unofficial ‘third man’ Microsoftspokesperson blog is. :) (Hey, saying something nice).

  32. Well, how about a fix? regsvr32 /u shimgvw.dll anyways. A 0 day exploit sure highlights the fallacy of security thru obscurity or forever proper disclosure policies. But I guess I lost that ironic battle. In ‘links’, ‘warnings’. Never mind.

    But some good info…

    http://isc.sans.org//diary.php?storyid=972

  33. Well, how about a fix? regsvr32 /u shimgvw.dll anyways. A 0 day exploit sure highlights the fallacy of security thru obscurity or forever proper disclosure policies. But I guess I lost that ironic battle. In ‘links’, ‘warnings’. Never mind.

    But some good info…

    http://isc.sans.org//diary.php?storyid=972

  34. I’d rather that our customers know there’s a problem and worry about the PR implications later.

    Likewise. But such violates your company policy. My point. But (obviously) beating a dead horse.

  35. I’d rather that our customers know there’s a problem and worry about the PR implications later.

    Likewise. But such violates your company policy. My point. But (obviously) beating a dead horse.

  36. Scoble, some of the links in the advisory return 404 or not found. How responsible is that?

    A protection to this thing, type “regsvr32 /u shimgvw.dll”. I have read it somewhere and think it’s good. shimgvw.dll is the WMF file handler used by IE. By deregistering it, WMF files simply don’t get displayed anymore.

    Never been a better time to consider switching to Mac. Too bad Intel Macs are not available yet. The last few days, I have spent time with my family and a new preconfured XP SP2 laptop and the experience was horrible : we have been bombarded by tens upon tens of popups coming from either the OS or the pre-installed (trial version) anti-virus software. Most horrible experience in my entire life. And this box was not even connected to the internet.

  37. Scoble, some of the links in the advisory return 404 or not found. How responsible is that?

    A protection to this thing, type “regsvr32 /u shimgvw.dll”. I have read it somewhere and think it’s good. shimgvw.dll is the WMF file handler used by IE. By deregistering it, WMF files simply don’t get displayed anymore.

    Never been a better time to consider switching to Mac. Too bad Intel Macs are not available yet. The last few days, I have spent time with my family and a new preconfured XP SP2 laptop and the experience was horrible : we have been bombarded by tens upon tens of popups coming from either the OS or the pre-installed (trial version) anti-virus software. Most horrible experience in my entire life. And this box was not even connected to the internet.

  38. Where could one (individual or law enforcement officials) find an inventory of web sites which have installed this exploitive software? If nothing else, such an list could be a “name and shame” of sites to avoid, and at best, a source of prosecution.

    I understand why the world is jumping on Microsoft, but I do not understand why the world is not jumping on the bad guys propagating this stuff.

  39. Where could one (individual or law enforcement officials) find an inventory of web sites which have installed this exploitive software? If nothing else, such an list could be a “name and shame” of sites to avoid, and at best, a source of prosecution.

    I understand why the world is jumping on Microsoft, but I do not understand why the world is not jumping on the bad guys propagating this stuff.

  40. This is bigger then I thought…

    How did this get around so fast before a patch could be worked out. Robert I think by informing your customers you also inadvertently inform every hacker out there that this is a problem and no fix is in site yet. For your average Joe hacker this is a huge payday.

    Unless the press is blowing it up bigger then it really is…

    http://news.yahoo.com/s/pcworld/124094

  41. This is bigger then I thought…

    How did this get around so fast before a patch could be worked out. Robert I think by informing your customers you also inadvertently inform every hacker out there that this is a problem and no fix is in site yet. For your average Joe hacker this is a huge payday.

    Unless the press is blowing it up bigger then it really is…

    http://news.yahoo.com/s/pcworld/124094

  42. There is lots of coverage in the mainline web meadia,independant of Robert … he’s not that powerful or ubiquitiously read. I wonder where the media is getting their info. It’s as if the bad guys have PR consultants working for them …

  43. There is lots of coverage in the mainline web meadia,independant of Robert … he’s not that powerful or ubiquitiously read. I wonder where the media is getting their info. It’s as if the bad guys have PR consultants working for them …

  44. Chris and Robert:

    This thread’s commentspace looks like it has been a good place to start to work out how to address a crisis using the blogosphere.

    Chris is right, the whole thing needs to be reviewed as a policy issue.

    So here’s the question:

    Chris: what kind of policy would cover the issues that you think are being mishandled here?

    Robert:

    Chris is a recovering snarkoholic (I actually shouldn’t be saying that, it makes me look like I have fallen off the snark-abstinence-wagon myself) and you need to make nice a lot to get the most out of him, and getting him to tell you how to fix MS policy for free is the kind of thing (as in ‘user generated content’) that you are blogging for in the first place, no?

    Yoda says:

    “anger leads to hate, hate leads to suffering”.

    Critical commenters will often make you angry, especially if your posting was aimed at being helpful.

    But remember, one of the main reasons someone will take the trouble to comment about a posting, is because you made them angry, not necessarily in that particular posting, but sometimes in an earlier one, and they are looking for an opportunity to ‘take you down a peg or two’ for what the commenter perceives as arrogance by the blogger.

    So comment-response-anger needs to be given the opposite kind of response to the one that it triggers.

    Not that there is any strong evidence of anger on this occasion, Robert.

    But remember, commenters are part of the Google Juice/ Memeorandum equation, so, probably unconsciously, you are often gravitating towards generating angry responses when you put together your postings, if you have a good blog-traffic-creating track record.

    The cure is humility.

    Robert, You have bucketloads of humility, but you also have assertiveness, and that sometimes comes across as arrogance.

    There’s a line by Will Smith in I, Robot:

    “You are the dumbest smart person…”

    In your case you can substitute “arrogantest humble person”.

    And Chris: Keep on keeping on, Microsoft deserves all the negative feedback that any big institution needs and, my goodness, a Microsoft that somehow manages to develop genuine humility would be an awesome example to humanity, after all, if it is hard to be humble when you have made a lot of money, and had a lot of m success, nobody would have any excuse if even Microsoft can somehow become the opposite of arrogant.

    Chris has every right to doubt that Scoble can do what it takes to make Microsoft humble, especially when part of Scoble’s official job is to trumpet new Microsoft triumphs.

    Can you blog humility-affirming failure and cheer on scepticism-inducing triumph at the same time, Robert?

    Not enough rah-rah and the softies hate you, not enough whistles blown and outsiders think you are just the ultimate insidious but desperate PR tactic.

  45. Chris and Robert:

    This thread’s commentspace looks like it has been a good place to start to work out how to address a crisis using the blogosphere.

    Chris is right, the whole thing needs to be reviewed as a policy issue.

    So here’s the question:

    Chris: what kind of policy would cover the issues that you think are being mishandled here?

    Robert:

    Chris is a recovering snarkoholic (I actually shouldn’t be saying that, it makes me look like I have fallen off the snark-abstinence-wagon myself) and you need to make nice a lot to get the most out of him, and getting him to tell you how to fix MS policy for free is the kind of thing (as in ‘user generated content’) that you are blogging for in the first place, no?

    Yoda says:

    “anger leads to hate, hate leads to suffering”.

    Critical commenters will often make you angry, especially if your posting was aimed at being helpful.

    But remember, one of the main reasons someone will take the trouble to comment about a posting, is because you made them angry, not necessarily in that particular posting, but sometimes in an earlier one, and they are looking for an opportunity to ‘take you down a peg or two’ for what the commenter perceives as arrogance by the blogger.

    So comment-response-anger needs to be given the opposite kind of response to the one that it triggers.

    Not that there is any strong evidence of anger on this occasion, Robert.

    But remember, commenters are part of the Google Juice/ Memeorandum equation, so, probably unconsciously, you are often gravitating towards generating angry responses when you put together your postings, if you have a good blog-traffic-creating track record.

    The cure is humility.

    Robert, You have bucketloads of humility, but you also have assertiveness, and that sometimes comes across as arrogance.

    There’s a line by Will Smith in I, Robot:

    “You are the dumbest smart person…”

    In your case you can substitute “arrogantest humble person”.

    And Chris: Keep on keeping on, Microsoft deserves all the negative feedback that any big institution needs and, my goodness, a Microsoft that somehow manages to develop genuine humility would be an awesome example to humanity, after all, if it is hard to be humble when you have made a lot of money, and had a lot of m success, nobody would have any excuse if even Microsoft can somehow become the opposite of arrogant.

    Chris has every right to doubt that Scoble can do what it takes to make Microsoft humble, especially when part of Scoble’s official job is to trumpet new Microsoft triumphs.

    Can you blog humility-affirming failure and cheer on scepticism-inducing triumph at the same time, Robert?

    Not enough rah-rah and the softies hate you, not enough whistles blown and outsiders think you are just the ultimate insidious but desperate PR tactic.

  46. Scoble,

    You are wrong. Becouse of stupid security policy – Microsoft do not bother to inform EVEN original researcher on resolution process.

    I can claim this as I had some issues with security@Microsoft and they lied to public about how long it take for them to issue builitin. ( http://news.zdnet.com/2100-1009_22-954590.html )

    After this kind of interaction with Security@Microsoft I’m not willing to repeat this expirience. Posting everything to public will result security people will wake up late at night and go to warroom !!!

  47. Scoble,

    You are wrong. Becouse of stupid security policy – Microsoft do not bother to inform EVEN original researcher on resolution process.

    I can claim this as I had some issues with security@Microsoft and they lied to public about how long it take for them to issue builitin. ( http://news.zdnet.com/2100-1009_22-954590.html )

    After this kind of interaction with Security@Microsoft I’m not willing to repeat this expirience. Posting everything to public will result security people will wake up late at night and go to warroom !!!

  48. I went to the MSFT security blog site and the comments were all disabled. Yeah that’s a real useful read only blog.

  49. I went to the MSFT security blog site and the comments were all disabled. Yeah that’s a real useful read only blog.