The vulnerability, uncovered by Google engineer Tavis Ormandy, affects “the Windows Help and Support Center function that is delivered with Windows XP and Windows Server 2003,” Microsoft said. Other editions of the operating system are not impacted by the bug.
“Launching the Help and Support Center via an hcp:// link is normally safe and is a supported way to launch help content,” said a post on Microsoft’s Security Research & Defense blog. “This is due in part to an ‘allow list’ of safe pages that Help and Support Center checks before navigating to a passed-in page. The Google security researcher found a help page with a cross-site scripting vulnerability and also a mechanism by which to abuse the allow list functionality to access that page with an exploit querystring. Clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary .exe installed on the machine.”
So far, Microsoft has not seen any evidence the vulnerability is being targeted in the wild. However, attacks may be forthcoming since Ormandy’s code is public.
In his Full Disclosure message, Ormandy wrote that he reported the bug to Microsoft June 5. His decision to publish proof-of-concept attack code and details of the bug on the Web has sparked some criticism from security professionals.
Andrew Storms, director of security operations at nCircle, described Ormandy’s actions as “effectively forcing Microsoft’s hand. He used the same process on another bug he discovered earlier this year … you have to wonder if he is adding fuel to the very public fire between Microsoft and Google by continuing to draw negative attention to Microsoft’s security process.”
Google and Microsoft have engaged in some verbal sparring lately, starting with media reports that Google is dumping Windows in favor of other operating systems, in part due to security concerns. Microsoft countered with a blog post detailing some of the security features of Windows and pointing to examples of malware targeting Mac computers as well as to Yale University’s decision to halt its move to Google Gmail for security reasons.
Microsoft said in the advisory that it is working on a patch. In the meantime, there are some workarounds given in the advisory that could help.
“The full-disclosure advisory included a hotfix tool built by the Google security researcher,” said the Microsoft Security Research & Defense blog post. “Unfortunately, it is ineffective at preventing the vulnerable code from being reached and can be easily bypassed. We recommend not counting on the Google hotfix tool for protection from the issue. The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain of events that leads to the code execution.”