Quarrels about new Windows Vulnerability - Update
The new security hole in Windows is causing resentment and not just because Tavis Ormandy publicised it without consulting Microsoft, but also because his proposed hotfix does not offer complete protection.
The hole was found in Microsoft's Help and Support Center and can be exploited to remotely compromise a Windows PC. All that is required is to visit a malicious website with Internet Explorer. Microsoft has now confirmed the issue which only affects Windows XP and Server 2003. Windows 7, Vista and Server 2008 are not vulnerable. Microsoft is investigating the problem and will eventually release a patch to close the hole. As an interim measure, Microsoft recommend disabling the HCP handler as sufficient to avoid casually processing manipulated hcp: URLs.
Microsoft suggests that this reg file will perform that task. Users should create a file named
hcp.reg and fill it with the following content:
Windows Registry Editor Version 5.00
Once the file is saved, double clicking it will disable the protocol handler and processing of help documents.
This approach is also recommended by the security service provider Secunia who reanalysed the vulnerability and came to the conclusion that Ormandy had overlooked some points which meant that, according to Secunia, Ormandy's hotfix would not protect from all attacks. Ormandy's fix made the function MPC::HexToNum() return zero rather than 0xFFFFFFFF when errors occurred. When the function returns the latter value, the Support Center application does not perform the white-list checks built in to stop documents being modified. Unfortunately, Secunia found that it was possible to get the function to output a result of 0xFFFF without provoking an error which makes the hotfix ineffective. Secunia advises users not to install the unofficial hotfix, but instead take Microsoft's advice and disable the HCP handler.
Microsoft also points out the fact that Ormandy published his report only four days after he had notified Microsoft. This left Microsoft with no time to react appropriately; the inadequate analysis by Ormandy and the half-functioning fix only serve to confirm Microsoft's opinion that it needed time to fully understand the problem and build a patch. Interestingly, Microsoft aims its criticism at Ormandy and Google on whose security team Ormandy works. Ormandy not only analyses Windows vulnerabilities; he is listed as the discoverer of nine security vulnerabilities in Adobe's Flash Player latest security advisory.
Microsoft is not alone in being surprised by Ormandy's approach to disclosure of vulnerabilities. The hacker Robert Hansen (also known as RSnake), wondered in a comment if Google is using different standards for full disclosure because Google is itself a champion of responsible disclosure. However, Ormandy has now indicated that he worked on this vulnerability on his own account and that it is nothing to do with Google, although in his report, among those he thanks are Michal Zalewski and other members of the Google Security Team, for help in creating the exploit.
Around the beginning of the year, Ormandy reported a vulnerability in the Virtual DOS Machine and an exploit was published without a patch from Microsoft being available. At that time, Microsoft had had several months to respond.
- Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution, Microsoft advisory