Google (Nasdaq: GOOG) researcher Tavis Ormandy’s public disclosure Thursday of a security flaw in Microsoft’s (Nasdaq: MSFT) Help and Support Center has drawn harsh criticism from Redmond.
The flaw, which exists in Windows XP and Windows Server 2003, could let hackers remotely execute code on victims’ computers.
Microsoft is angry that Ormandy publicly disclosed a proof of concept exploit of the flaw just four days after privately notifying the company of the flaw’s existence.
“Four days is typically not enough for a vendor to complete the initial investigation of the vulnerability and thoroughly test a comprehensive update,” Jerry Bryant, group manager of response communications at Microsoft, told TechNewsWorld.
Help! I Need Somebody!
Ormandy posted his findings and the proof of concept exploit of the Help and Support Center flaw on the Full Disclosure website Thursday.
The problem lies in the whitelist that the Help and Support Center uses to ensure users can only access safe help documents and parameters.
Essentially, the whitelist does not properly validate URLs when using the HCP protocol. HCP can be used to execute URL links to open the Help and Support Center feature. Third-party applications, primarily Web browsers, are affected by this flaw if they can handle the HCP protocol.
If a user is logged on with administrative user rights, an attacker can take complete control of the user’s PC by exploiting the flaw, Microsoft warned in Security Advisory 22190475, released Thursday. The attacker could then install programs; view, change or delete data; or create new accounts with full user rights.
The flaw affects the Help and Support Center function on Windows XP and Windows Server 2003.
It can be exploited if users go to specially crafted Web pages that contain malicious code or click specially crafted links in email messages, Microsoft warned.
Microsoft’s Reaction
So far, there have been no reports of attacks, and Ormandy’s exploit is still at the proof of concept stage, Microsoft’s Bryant said.
Redmond has spoken with Google about this, he added.
Microsoft contends that Ormandy should have waited longer before releasing his exploit publicly.
“There are variances in the types of vulnerability disclosure policies, but typically and on average the finders give the vendor 30 days,” Bryant said. “Even the most aggressive finders give the vendors at least 14 days.”
Google did not respond to requests for comment by press time.
What Is Responsibility?
In a blog post on Technet Thursday, Microsoft said public disclosure of the details of the vulnerability without giving it time to resolve the issue puts customers at risk, and it hinted Ormandy did not adhere to the principle of responsible disclosure.
It also pointed out that the workaround Ormandy suggested is easily circumvented.
Ormandy had contended in his posting of the flaw that vendors want to maintain secrecy about bugs in their products, and equated the term “responsible disclosure” with secrecy.
That argument doesn’t cut any ice with Sean-Paul Correll, a threat researcher at Panda Security.
“If you look at responsible disclosure, you’ll see a timeframe of about five months given to vendors to fix issues,” he pointed out. “In Microsoft’s case, the protocols involved are used through its products, and it has to make sure the solutions it provides are cross-compatible,” Correll told TechNewsWorld. “They’ve got to make sure the fix doesn’t break the product elsewhere,” he said.
