Strategy, Vulnerability management

Microsoft confirms Help Center vulnerability

June 10, 2010

Microsoft on Thursday confirmed the presence of a zero-day vulnerability affecting Windows XP and Server 2003.

The software giant plans to issue an advisory later Thursday to provide workaround guidance to impacted users.

The vulnerability was discovered by Google engineer Tavis Ormandy, who published exploit code in an advisory posted Thursday to the Full Disclosure mailing list.

The flaw is present in the Windows Help and Support Center application and is caused by the improper sanitization of "hcp:// URIs," which is a protocol handler used access help documents through specific URLs, Ormandy said. By persuading a user to click on a malicious link, an attacker could execute arbitrary code on a victim's machine.

Customers running Windows Vista, 7, Server 2008 and Server 2008 R2 are not susceptible to the vulnerability, said Mike Reavey, director of the Microsoft Security Response Center, in a blog post.

The bug added fuel to the fire surrounding the responsible disclosure debate.

Ormandy notified Microsoft on June 5 but went public with the vulnerability five days later, before Microsoft was able to issue a fix to its large user base.

"One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause," Reavey said. "While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround [Ormandy] suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems."

Ormandy defended his decision to publicize proof-of-concept code, saying "there's a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security."

Several hours after his release on Full Disclosure, Ormandy admitted to absorbing widespread criticism.

"I believe in [Full Disclosure], but making enemies of people I truly respect may not have been my smartest decision ever," he wrote in a tweet. "Not all bad feedback though."

As users await an official advisory from Microsoft, they can disable the HCP protocol by following four steps described in the blog post.

prestitial ad