Google researcher Tavis Ormandy’s public disclosure Thursday of a security flaw in Microsoft’s Help and Support Center has drawn harsh criticism from Redmond.
The flaw, which exists in Windows XP and Windows Server 2003, could let hackers remotely execute code on victims’ computers.
Microsoft is angry that Ormandy publicly disclosed a proof of concept exploit of the flaw just four days after privately notifying the company of the flaw’s existence.
“Four days is typically not enough for a vendor to complete the initial investigation of the vulnerability and thoroughly test a comprehensive update,” Jerry Bryant, group manager of response communications at Microsoft, told TechNewsWorld.
Help! I Need Somebody!
Ormandy posted his findings and the proof of concept exploit of the Help and Support Center flaw on the Full Disclosure website Thursday.
The problem lies in the whitelist that the Help and Support Center uses to ensure users can only access safe help documents and parameters.
Essentially, the whitelist does not properly validate URLs when using the HCP protocol. HCP can be used to execute URL links to open the Help and Support Center feature. Third-party applications, primarily Web browsers, are affected by this flaw if they can handle the HCP protocol.
If a user is logged on with administrative user rights, an attacker can take complete control of the user’s PC by exploiting the flaw, Microsoft warned in Security Advisory 22190475, released Thursday. The attacker could then install programs; view, change or delete data; or create new accounts with full user rights.
The flaw affects the Help and Support Center function on Windows XP and Windows Server 2003.
It can be exploited if users go to specially crafted Web pages that contain malicious code or click specially crafted links in email messages, Microsoft warned.
So far, there have been no reports of attacks, and Ormandy’s exploit is still at the proof of concept stage, Microsoft’s Bryant said.
Redmond has spoken with Google about this, he added.
Microsoft contends that Ormandy should have waited longer before releasing his exploit publicly.
“There are variances in the types of vulnerability disclosure policies, but typically and on average the finders give the vendor 30 days,” Bryant said. “Even the most aggressive finders give the vendors at least 14 days.”
Google did not respond to requests for comment by press time.
Haste Is Waste
“Four days is a very short time,” Wolfgang Kandek, chief technology officer at Qualys, told TechNewsWorld. “At CanSecWest, they discovered a very high-profile bug that attacked the major browsers — Safari, Firefox and Internet Explorer — on March 23, and notified the vendors. Firefox fixed their flaw in 10 days; Safari about a month later, and Microsoft fixed it just this Tuesday. Nobody blamed Microsoft for taking three months to fix that bug.”
Vendors need enough lead time because they don’t just have to fix one problem.
“The bigger the company, the more gotchas there are in its products,” Kandek explained. “Microsoft had other bugs to fix as well, and each bug comes into a testing cycle.”
What Is Responsibility?
In a blog post on Technet Thursday, Microsoft said public disclosure of the details of the vulnerability without giving it time to resolve the issue puts customers at risk, and it hinted Ormandy did not adhere to the principle of responsible disclosure.
It also pointed out that the workaround Ormandy suggested is easily circumvented.
Ormandy had contended in his posting of the flaw that vendors want to maintain secrecy about bugs in their products, and equated the term “responsible disclosure” with secrecy.
That argument doesn’t cut any ice with Sean-Paul Correll, a threat researcher at Panda Security.
“If you look at responsible disclosure, you’ll see a timeframe of about five months given to vendors to fix issues,” he pointed out. “In Microsoft’s case, the protocols involved are used through its products, and it has to make sure the solutions it provides are cross-compatible,” Correll told TechNewsWorld. “They’ve got to make sure the fix doesn’t break the product elsewhere,” he said.
Look Homeward, Angel
Google’s researchers should be focusing on flaws in the search giant’s own products instead of gunning for Microsoft, Panda Security’s Correll said.
“My particular distaste for Google in this issue is not so much that it did this irresponsible disclosure; I think it should be focusing on its own vulnerabilities,” Correll said.
For example, hackers are exploiting Google search heavily to target victims using search engine optimization (SEO) techniques, he pointed out.
SEO is the process of improving the volume of traffic to a website or page based on the theory that the higher a site appears in search results for a particular term, the more visitors it will receive from the search engine.
“Rogueware attacks are being propagated through Google, and the latest one targets the FIFA World Cup,” Correll said. “People researching the World Cup are getting hit by attacks in the top-ranking search results.”