Vulnerability Management

Microsoft confirms exploits targeting Ormandy 0-day


Five days after a Google researcher published details of a zero-day vulnerability affecting the Windows Help and Support Center, in-the-wild exploits have emerged, Microsoft said Tuesday.

The software giant said it was aware of "limited exploits" affecting XP users, according to a tweet posted by the Microsoft Security Response Center. Server 2003 also is vulnerable to the bug, but Microsoft said it has not received any attack samples targeting those customers.

As affected users await a permanent fix, they are encouraged to apply a "Fix It" workaround, as outlined in a security advisory released Thursday by Microsoft.

Experts at Sophos on Tuesday began detecting malware attempting to take advantage of the vulnerability, said Donato Ferrante of SophosLabs. Users can be infected with the malware, dubbed Sus/HcpExpl-A by Sophos, if they visit a website that has been compromised to host the exploit.

"This malware downloads and executes an additional malicious component on the victim's computer by exploiting this vulnerability," Ferrante wrote.

This particular zero-day flaw has received more attention than most. It was discovered by Tavis Ormandy, a Swiss Google researcher, who privately alerted Microsoft about the vulnerability on June 5, but five days later, posted details of the bug to the Full Disclosure mailing list.

The flaw is present in the Windows Help and Support Center application and is caused by the improper sanitization of "hcp:// URIs," which is a protocol handler used to access help documents through specific URLs.

"I've concluded that there's a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security," Ormandy wrote.

Since the Full Disclosure post, Ormandy has attracted a wave of criticism from members of the security community. Some accused Ormandy of following irresponsible disclosure practices, particularly only giving Microsoft five days to issue a patch.

But Ormandy, in a tweet posted Saturday, said: "Those five days were spent trying to negotiate a fix within 60 days."

Microsoft, meanwhile, has pushed the blame on Google.

"One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause," Mike Reavey, director of the Microsoft Security Response Center, wrote in a blog post. "While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems."

Google reportedly said Ormandy was acting independently in his research.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.