Googler releases Windows zero-day exploit, Microsoft unimpressed

Googler releases Windows zero-day exploit, Microsoft unimpressed

Summary: The vulnerability, which is due to improper sanitization of hcp:// URIs may allow a remote, unauthenticated attacker to execute arbitrary commands.

SHARE:
TOPICS: Microsoft, Security
89

Google security researcher Tavis Ormandy has set the cat among the "responsible disclosure" pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

The vulnerability, which is due to improper sanitization of hcp:// URIs may allow a remote, unauthenticated attacker to execute arbitrary commands. Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.

In an e-mail message announcing the zero-day discovery, Ormandy said protocol handlers are a popular source of vulnerabilities and argued that "hcp://" itself has been the target of attacks multiple times in the past. This prompted his decision to go public without the availability of a patch:

I've concluded that there's a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security.

follow Ryan Naraine on twitter

Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.

Microsoft's security response center is unimpressed.  In a blog post acknowledging the issue, MSRC director Mike Reavey said Ormandy's release of details "makes broad attacks more likely and puts customers at risk."

Reavey said the issue was reported June 5th, 2010 (a Saturday) and then made public less than four days later. "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk," he said, stressing that the workaround suggested by Ormandy is inadequate.

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.

Reavey confirmed that the issue affects Windows XP and Windows Server 2003 only.  All other Windows versions are unaffected.  Microsoft is expected to issue a formal security advisory with workarounds and mitigation guidance later today.  Microsoft has issued a formal security advisory with pre-patch mitigation guidance.

In the meantime, affected Windows users can unregister the HCP protocol to protect themselves using the following steps:

  1. Click Start, and then click Run.
  2. Type regedit, and then click OK.
  3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
  4. Right-click the HCP key, and then click Delete.

Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://.  For example, links in Control Panel may no longer work.

For more on the ethics of Ormandy's actions and how it relates to Google, see this Threatpost blog entry by Robert Hansen.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

89 comments
Log in or register to join the discussion
  • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

    What the heck is hcp://?
    rossdav
    • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

      @rossdav@...
      Host Configuration Protocol...used for DHCP, which assigns IP addresses to other computers that request it that live on the same domain.
      bmonster
      • <a href="http://www.tran33m.com/vb/">forums</a>

        @bmonster Microsoft will be providing a fix for this soon enough so don't worry about that. It takes more than five days to investigate and code a patch. Luckily this issue is not severe and people really don't need to worry about it. Just wait for the fix and and install it at that time. Trying to exploit this would be highly unlikely to happen. Remember there is no code in the wild for this so you are not at risk.
        omaia7
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        @bmonster This makes Google look really really bad. They've already taken a beating this week with their homepage design but to add this on top of it just makes them look like a bunch of ama<a href="http://www.tran33m.com/vb/">t</a>eurs. Very irresponsible of Google to do such a thing and now I cannot recommend their services to anyone.Microsoft will be providing a fix for this soon enough so don't worry about that. It takes more than five days to investigate and code a patch. Luckily this issue is not severe and people really don't need to worry about it. Just wait for the fix and and install it at that time. Trying to exploit this would be highly unlikely to happen. Remember there is no code in the wild for this so you are not at risk.
        jku1
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        Seems like I've read this before. Oh I did:
        http://www.zdnet.com/tb/1-83146-1586844?tag=talkback-river;1_83146_1586844
        Linux Love
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        Actually I think he's pretty accurate
        Linux Love
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        I think that before leaving for good you should take a good hard look at yourself and post your conclusions here, and please, don't be too easy on yourself.
        Linux Love
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        While you speak the truth don't let them win.
        Keep the faith.
        Linux Love
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        As helpful and interesting as you blogs and talkbacks have been in the past, It is now time to bid them farewell, I will post no more.
        Linux Love
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        At one time they were worth the interaction, but no longer. For one reason is the shear amount of spam anymore, they actually account for over half the replies.
        Linux Love
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        but more importantly, just the shear numbers of trolls, clueless, and even idiots here. You can?t give an opinion anymore without being insulted, labeled, or flagged, and interestingly enough, by the same handful of people.
        Linux Love
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        Windows:
        Loverock Davidson: He has to wake up to the fact that MS does make mistakes and missteps, and like any company will continue to make them from time to time.
        No_Axe_to_Grind: He actually does, he just won?t admit it.
        John Zern: When he says something it usually an honest opinion, but maybe he should lead by example and quit falling for the bait? Countering an insult with an insult doesn?t work, and he has to learn that.
        Linux Love
    • Yet Google's security hawks were all silent while your WiFi being spied

      Had it not been detected by the Germans, you would not have heard a thing about it. Gotta love Google's new found interest in security for the public.

      "Don't get caught while committing evil." That's what it is.
      LBiege
      • That's also what it ever was

        @LBiege

        Historical events abound.
        OS Reload
      • LOL! Dead on, LBiege

        <font color="Blue">Hysterical Event</font> as someone would say ;)
        John Zern
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        ?@LBiege,
        First of all, that collected WiFi conversations data was never used.
        Secondly, did you hear about a law which requires to use secured WiFi? Where was it, in England? Stupid people don't turn on WiFi encryption... it's like shouting through open window and then complaining about someone listening to it.
        vkelman@...
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        @LBiege <br>The new iphone will be better than android in every way though. Especially in terms of hard drive space.<br><br>Hopefully all of the rumors will be true about the new upgrades, because that will only force androids to up the ante and we'll see it go back and forth forever siteler la - <a href="http://www.arabaoyunlarimiz.gen.tr/">araba oyunlari</a> <a href="http://www.doraoyunlari.net/">dora oyunlari</a> <a href="http://www.barbie.gen.tr/">barbie oyunlari</a> ok.
        <br><br>My main point however. TRASHING THE IPHONE OS IS NOT RIGHT. It works perfectly fine.
        RahinBen
  • Lame, Google. Lame!

    This is going downhill, and Google leads the way. Now the big tech should search for vulnerabilities in competitors products and disclose them publicly before notifying the vendor?

    This borders criminal behavior. It is morally, ethically wrong.

    Google, you suck!
    honeymonster
    • Shoot the messenger

      @honeymonster

      A typical reaction.
      OS Reload
      • RE: Googler releases Windows zero-day exploit, Microsoft unimpressed

        @OS Reload

        He reported it on a *Saturday*, then releases it on a Tuesday? And you're *defending* it?

        Now if he'd released after oh, say 3 months, I wouldn't quibble. But two *business* days is hardly enough time for confirmation, much less in depth analysis.

        You're being blatantly pro-Google and anti-Microsoft, to the point I'm wondering if you're a Google employee...
        wolf_z