Google security researcher Tavis Ormandy has set the cat among the "responsible disclosure" pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.
The vulnerability, which is due to improper sanitization of hcp:// URIs may allow a remote, unauthenticated attacker to execute arbitrary commands. Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.
In an e-mail message announcing the zero-day discovery, Ormandy said protocol handlers are a popular source of vulnerabilities and argued that "hcp://" itself has been the target of attacks multiple times in the past. This prompted his decision to go public without the availability of a patch:
I've concluded that there's a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security.
Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.
Microsoft's security response center is unimpressed. In a blog post acknowledging the issue, MSRC director Mike Reavey said Ormandy's release of details "makes broad attacks more likely and puts customers at risk."
Reavey said the issue was reported June 5th, 2010 (a Saturday) and then made public less than four days later. "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk," he said, stressing that the workaround suggested by Ormandy is inadequate.
One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.
Reavey confirmed that the issue affects Windows XP and Windows Server 2003 only. All other Windows versions are unaffected. Microsoft is expected to issue a formal security advisory with workarounds and mitigation guidance later today. Microsoft has issued a formal security advisory with pre-patch mitigation guidance.
In the meantime, affected Windows users can unregister the HCP protocol to protect themselves using the following steps:
Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.
For more on the ethics of Ormandy's actions and how it relates to Google, see this Threatpost blog entry by Robert Hansen.