Tavis Ormandy, a security researcher for Google, on Thursday posted a vulnerability report to the Full-Disclosure mailing list, which detailed a vulnerability in Windows XP and Windows Server 2003. Later versions of Windows are unaffected.
The flaw is in the Help and Support Center, a relic of the time when Microsoft was trying to make everything on the computer a browser app. Help, Control Panel, Windows Update, and other components were browser or browser-like apps. In order to access remote help, the Help and Support Center supports remote links to help using hcp:// addresses.
Windows XP SP2 introduced a model whereby the program, when run with the /fromhcp parameter, runs in a special restricted mode where only links from addresses on a special whitelist can have privileged access. Ormandy’s vulnerability is an implementation error that allows the whitelist to be bypassed. Read the FD posting if you want all the gory details, but the end result is arbitrary code execution from links on the Web.
Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com
Ormandy notified Microsoft about this bug on June 5, the Saturday before this last Patch Tuesday. Thursday afternoon the Microsoft Security Response Center responded with a blog entry, which criticized Ormandy for releasing the information without giving them a fair chance to evaluate it and provide a registry hack to remove all hcp support. That blocks the vulnerability as well as useful hcp links, such as those in the Control Panel.
Ormandy also created an unofficial hotfix of his own and linked to it from his post, but a Secunia analysis of the issue claims that the hotfix does not sufficiently address the problem.
If you run Windows XP (and that’s your first mistake) you will be much better off following Microsoft’s registry mitigation technique, although I think you could probably get away with renaming the key rather than deleting it. This should make it easier to undo when the patch is available.
Ormandy posted the vulnerability report using his personal e-mail and is probably acting in a private capacity, but don’t expect Microsoft to see it that way. Microsoft’s initial report on the bug referred to Ormandy as “a Google security researcher” and the tweet announcing it said that the “information on the Windows Help vulnerability [was] disclosed by Google.”
People can have reasonable disagreements about the limits of full disclosure vs. “responsible” disclosure, but I doubt Google would take kindly to a Microsoft researcher blind-siding them like this. For Ormandy to expect turnaround like this during a heavy Patch Tuesday is not reasonable. In fact, even Ormandy may be reconsidering the wisdom of his move.