News

Microsoft Issues Advisory on Windows Help Flaw

• By Kurt Mackie
• June 10, 2010

Microsoft today issued a new security advisory on a Windows help function flaw.

The advisory (2219475) only applies to Windows XP and Windows Server 2003. Microsoft released the advisory based on a proof-of-concept scenario, saying in a blog post that its security team wasn't aware of any active exploits. However, the company is working on releasing a future Windows security update.

The vulnerability could enable a remote code execution attack if a user clicked on an e-mail link or visited a specially crafted Web site using a browser. The problem is associated with the Windows Help and Support Center function, which uses the "hcp://" protocol to access a list of help articles in a protected list. The vulnerability is present because the Center "does not properly validate URLs when using the HCP Protocol," according to Microsoft's security advisory.

The announcement of the new security advisory comes on the heels of Microsoft's April security update, which was released on Tuesday. It comes just four days after Microsoft was notified of the flaw by Google security researcher Tavis Ormandy. Ormandy went public with exploit details on June 9 in a Full Disclosure mail list post, claiming that following "responsible disclosure" practices just hampered security research teamwork efforts.

"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy wrote in the e-mail. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots."

Mike Reavey, director of the Microsoft Security Response Center, expressed a different opinion. He stated that the Google researchers had not given Microsoft sufficient time to deal with the issue, putting "customers at risk."

"One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause," Reavey explained in a blog. "While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented."

Microsoft advised against using the workarounds posed by Ormandy, calling them "ineffective" in a security research and defense blog. Instead, Windows XP and Windows Server 2003 users should mitigate the issue by unregistering the HCP Protocol using the Windows Registry editor. The blog also noted that Microsoft is not quite sure that Windows Server 2003 is affected by the specific exploit called out by Ormandy and Google.

A Secunia security blog agreed with Microsoft's assessment that Ormandy's workarounds don't fix the problem, and it even critiqued his analysis.

"After confirming the vulnerability and publishing a Secunia advisory, we scheduled the vulnerability for an in-depth analysis, which uncovered that the cause is different and that the provided, unofficial hotfix does not properly address the vulnerability," stated Alin Rad Pop, Secunia's senior security specialist, in the blog post.

Commenting on the timing of the disclosure, Robert "Rsnake" Hansen, a security researcher and CEO at SecTheory, depicted Ormandy and Google as hypocrites on responsible disclosure.

"How is that possibly reasonable to expect a company like MS to turn around a patch in 4-5 days and then get so upset that then you must go full disclosure?" Hansen asked in a blog.