Microsoft warned users of a defect affecting Windows XP, happening ironically in the Windows Help and Support Center, which could enable hackers to initiate malicious attacks.
On Thursday, 10th June, 2010, Microsoft confirmed that an unpatched bug contained by Windows XP and Windows Server 2003 could be used to infect PCs by duping users into visiting rigged websites or opening attack e-mail. The vulnerability was informed by Tavis Ormandy to Microsoft, which has been located in the online Windows Help and Support Center feature. Customer’s technical support is offered by this online Windows Help and Support Center feature.
The flaw is in the Help and Support Center, a relic of the time when Microsoft was trying to make everything on the computer a browser app. Help, Control Panel, Windows Update and other components were browser or browser-like apps.
Remote links are supported to help using hcp: //addresses by the Help and Support Center in order to access remote help. A model was introduced by Windows XP SP2 whereby the program, when run with the /fromhcp parameter, runs in a special restricted mode where only links from addresses on a special whitelist can have privileged access. Ormandy’s vulnerability is an implementation error which allows bypass of the whitelist. “It can be triggered through all major browsers, but as Tavis points out, it easier to exploit under IE7,” said Wolfgang Kandek, chief technology officer for Qualys, in a blog post.
Mike Reavey, director of the MSRC said that the issue was reported to Microsoft on June 5 by a Google security researcher and then publicly disclosed on June 9, giving the company little time to appropriately address or disseminate the issue.
Reavey said, “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customer, makes broad attacks more likely and puts customers at risk”. “While this was a good find by the Google (NSDQ:GOOG) researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented,” he added.
Microsoft plans on releasing a security advisory later Thursday. Until a patch repairing the flaw is created by Microsoft, users unregister the HCP protocol to mitigate impacts of a potential attack, as per suggestion of company.
Meanwhile, other security researchers pointed out that Microsoft has had a zero-day flaw every month during 2010, which will likely serve to damage their reputation as they desperately try to gain credibility in the security industry.
“If Adobe (NSDQ:ADBE) weren’t the poster child for lousy security right now, the negative press for Microsoft on this would probably be much worse,” said Andrew Storms, director of security for nCircle, in an e-mail. “Any users on the fence about upgrading from XP should take a hard look at all the security bulletins for the last six months. The information there should help change your mind.”
In spite of Microsoft’s security blunders, Storms, the timing and method of Tavis’ vulnerability disclosure was questioned, speculating that it might serve to fuel existing tensions between the Microsoft and the search engine giant.
“The disclosure timing for this vulnerability is already creating controversy. Tavis Ormandy, a Google employee, found the bug in the Windows kernel and notified Microsoft on Sunday. Then he released complete details to the Full Disclosure security mailing list yesterday, effectively forcing Microsoft’s hand,” Storms said. “Tavis has been trying to separate his actions from his employer, but you have to wonder if he is adding fuel to the very public fire between Microsoft and Google by continuing to draw negative attention to Microsoft’s security process.”