Microsoft issues a security advisory in response to the publication by a Google employee of attack code for a zero-day vulnerability affecting Windows XP and Windows Server 2003.
Microsoft issued a security
June 10 after a Google engineer published attack code targeting a
Windows zero-day vulnerability on the Full Disclosure message
The vulnerability, uncovered by Google engineer Tavis Ormandy, affects
"the Windows Help and Support Center
function that is delivered with Windows XP and Windows Server 2003,"
Microsoft said. Other editions of the operating system are not impacted by the
"Launching the Help and Support
Center via an hcp:// link is
normally safe and is a supported way to launch help content," said a post
Security Research & Defense blog.
"This is due in part to an
'allow list' of safe pages that Help and Support
Center checks before navigating to
a passed-in page. The Google security researcher found a help page with a
cross-site scripting vulnerability and also a mechanism by which to abuse the
allow list functionality to access that page with an exploit querystring.
Clicking on a malicious hcp:// link leverages the XSS vulnerability to
circumvent helpctr.exe's safety controls and ultimately run an arbitrary .exe
installed on the machine."
So far, Microsoft has not seen any evidence the vulnerability is being
targeted in the wild. However, attacks may be forthcoming since Ormandy's code
In his Full Disclosure message, Ormandy wrote that he reported the bug to
Microsoft June 5. His decision to publish proof-of-concept attack code and
details of the bug on the Web has sparked some criticism from security
Andrew Storms, director of security operations at nCircle, described
Ormandy's actions as "effectively forcing Microsoft's hand. He used the
same process on another bug he discovered earlier this year ... you have to
wonder if he is adding fuel to the very public fire between Microsoft and
Google by continuing to draw negative attention to Microsoft's security
Google and Microsoft have engaged in some verbal sparring lately, starting
with media reports that Google
is dumping Windows
in favor of other operating systems, in part due to
security concerns. Microsoft countered with a blog post detailing some of the security
features of Windows
and pointing to examples of malware targeting Mac
computers as well as to Yale University's
decision to halt its move to Google Gmail for security reasons.
Microsoft said in the advisory that it is working on a patch. In the
meantime, there are some workarounds
given in the advisory
that could help.
"The full-disclosure advisory included a hotfix tool built by the
Google security researcher," said the Microsoft Security Research &
Defense blog post. "Unfortunately, it is ineffective at preventing the
vulnerable code from being reached and can be easily bypassed. We recommend not
counting on the Google hotfix tool for protection from the issue. The best
workaround is to unregister the hcp:// protocol handler. Doing so will prevent
the chain of events that leads to the code execution."