News

Microsoft Issues Advisory on Windows Help Flaw

Microsoft today issued a new security advisory on a Windows help function flaw.

The advisory (2219475) only applies to Windows XP and Windows Server 2003. Microsoft released the advisory based on a proof-of-concept scenario, saying in a blog post that its security team wasn't aware of any active exploits. However, the company is working on releasing a future Windows security update.

The vulnerability could enable a remote code execution attack if a user clicked on an e-mail link or visited a specially crafted Web site using a browser. The problem is associated with the Windows Help and Support Center function, which uses the "hcp://" protocol to access a list of help articles in a protected list. The vulnerability is present because the Center "does not properly validate URLs when using the HCP Protocol," according to Microsoft's security advisory.

The announcement of the new security advisory comes on the heels of Microsoft's April security update, which was released on Tuesday. It comes just four days after Microsoft was notified of the flaw by Google security researcher Tavis Ormandy. Ormandy went public with exploit details on June 9 in a Full Disclosure mail list post, claiming that following "responsible disclosure" practices just hampered security research teamwork efforts.

"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy wrote in the e-mail. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots."

Mike Reavey, director of the Microsoft Security Response Center, expressed a different opinion. He stated that the Google researchers had not given Microsoft sufficient time to deal with the issue, putting "customers at risk."

"One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause," Reavey explained in a blog. "While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented."

Microsoft advised against using the workarounds posed by Ormandy, calling them "ineffective" in a security research and defense blog. Instead, Windows XP and Windows Server 2003 users should mitigate the issue by unregistering the HCP Protocol using the Windows Registry editor. The blog also noted that Microsoft is not quite sure that Windows Server 2003 is affected by the specific exploit called out by Ormandy and Google.

A Secunia security blog agreed with Microsoft's assessment that Ormandy's workarounds don't fix the problem, and it even critiqued his analysis.

"After confirming the vulnerability and publishing a Secunia advisory, we scheduled the vulnerability for an in-depth analysis, which uncovered that the cause is different and that the provided, unofficial hotfix does not properly address the vulnerability," stated Alin Rad Pop, Secunia's senior security specialist, in the blog post.

Commenting on the timing of the disclosure, Robert "Rsnake" Hansen, a security researcher and CEO at SecTheory, depicted Ormandy and Google as hypocrites on responsible disclosure.

"How is that possibly reasonable to expect a company like MS to turn around a patch in 4-5 days and then get so upset that then you must go full disclosure?" Hansen asked in a blog.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.