Microsoft warns of (another) zero-day XP bug
Microsoft warned users Thursday of a zero-day flaw affecting Windows XP and Windows Server 2003, occurring ironically in the Windows Help and Support Center, that could enable hackers to launch malicious attacks.
Specifically, the security flaw, first detected and published by Google researcher Tavis Ormandy, occurs in the Windows Help and Support Center. The bug is accessed through the protocol handler and can be triggered through all major browsers.
Other Windows platforms, including Vista, Windows 7 and Windows Server 2008 are not affected by the bug or vulnerable to attack.
“It can be triggered through all major browsers, but as Tavis points out, it easier to exploit under IE7,” said Wolfgang Kandek, chief technology officer for Qualys, in a blog post.
Mike Reavey, director of the MSRC said that the issue was reported to Microsoft on June 5 by a Google security researcher and then publicly disclosed on June 9, giving the company little time to appropriately address or disseminate the issue.
“Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customer, makes broad attacks more likely and puts customers at risk,” Reavey said.
“While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented,” he added.
If exploited, the flaw enables attackers to launch drive-by download attacks, which can infect users’ computers with malware when they visit a compromised Website.
Thus far, the Microsoft was not aware of any “in the wild” attacks exploiting the flaw, Reavey said.
Microsoft plans on releasing a security advisory later Thursday. Until Microsoft creates a patch repairing the flaw, the company suggested that users unregister the HCP protocol to mitigate impacts of a potential attack.
Meanwhile, other security researchers pointed out that Microsoft has had a zero-day flaw every month during 2010, which will likely serve to damage their reputation as they desperately try to gain credibility in the security industry.
“If Adobe weren’t the poster child for lousy security right now, the negative press for Microsoft on this would probably be much worse,” said Andrew Storms, director of security for nCircle, in an e-mail. “Any users on the fence about upgrading from XP should take a hard look at all the security bulletins for the last six months. The information there should help change your mind.”
Despite Microsoft’s security blunders, Storms questioned the timing and method of Tavis’ vulnerability disclosure, speculating that it might serve to fuel existing tensions between the Microsoft and the search engine giant.
“The disclosure timing for this vulnerability is already creating controversy. Tavis Ormandy, a Google employee, found the bug in the Windows kernel and notified Microsoft on Sunday. Then he released complete details to the Full Disclosure security mailing list yesterday, effectively forcing Microsoft’s hand,” Storms said. “Tavis has been trying to separate his actions from his employer, but you have to wonder if he is adding fuel to the very public fire between Microsoft and Google by continuing to draw negative attention to Microsoft’s security process.”