Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

The vulnerability, which is due to improper sanitization of hcp:// URIs may allow a remote, unauthenticated attacker to execute arbitrary commands.

Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.

In an e-mail message announcing the zero-day discovery, Ormandy said protocol handlers are a popular source of vulnerabilities and argued that “hcp://” itself has been the target of attacks multiple times in the past. This prompted his decision to go public without the availability of a patch:

I’ve concluded that there’s a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security. Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.

 

Microsoft’s security response center is unimpressed. In a blog post acknowledging the issue, MSRC director Mike Reavey said Ormandy’s release of details “makes broad attacks more likely and puts customers at risk.”

Reavey said the issue was reported June 5th, 2010 (a Saturday) and then made public less than four days later. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” he said, stressing that the workaround suggested by Ormandy is inadequate.

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.

Reavey confirmed that the issue affects Windows XP and Windows Server 2003 only. All other Windows versions are unaffected. Microsoft is expected to issue a formal security advisory with workarounds and mitigation guidance later today.

In the meantime, affected Windows users can unregister the HCP protocol to protect themselves using the following steps:

  • Click Start, and then click Run.
  • Type regedit, and then click OK.
  • Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
  • Right-click the HCP key, and then click Delete.

Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.

For more on the ethics of Ormandy’s actions and how it relates to Google, see this guest editorial by Robert Hansen.

Categories: Vulnerabilities

Comments (44)

  1. Balaji Birajdar
    2

    Why are all these people trying to break windows? After all its the best OS on the planet.

    God..!! Please forgive them because they don’t know what they are doing..

     

  2. Cardin
    3

    To me that researcher has no personal code of conduct. Exploits should be published only after a patch has been issued.

  3. Anonymous
    5

    Yep, the guy who posted the exploit should really be punished, in my opinion he has committed a form of espionage. Microsoft got sued for bundling IE with windows, how then can this guy get away with providing instructions to do serious harm to the masses?

    In principle its not much different from trading nuclear secrets, only the stakes aren’t as high. 
    Spreading dangerous information in this way should be illegal, fine if one gave adequate time for the company to remedy the problem before showing the exploit, but this information at this point in time, before a fix, could only bring harm.

    His reason not to wait for a fix must be malicious, I’m trying to think otherwise but no other reason comes to mind, big-noting perhaps.

    And that registry fix is not adequate, that will only hinder the exploit, not remove it.

  4. Full Disclosure
    6

    > Exploits should be published only after a patch has been issued.

    We used to do that, but vendors would almost never patch things and instead aimed legal threats at the people who told them about the problems (no matter how many bad guys there were actively exploiting the problems and not informing the vendors). The only way we started to get half-decent security was by dropping exploit code on them and forcing them to sink or swim.

    Microsoft in particular has a slow release time. Given that he said the vulnerability was already being actively exploited, I’m glad that he released it. Otherwise, the bad guys would be quietly using it while Microsoft sat on their hands and waited to issue a patch.

    Now, I know that someone is going to take issue with that “has a slow release time” because, hey, they’ve got all these metrics that say that we take less than X days *from the time the vulnerability is acknowledged* until the patch. The problem is that they cheat by take X weeks (or months…) to “acknowledge” the problem, usually only doing so when they have a patch ready. They can fudge the dates all they want, but the real security pros know the truth.

  5. Anonymous
    7

    “in my opinion he has committed a form of espionage.”

    Ahah, the world is full of ignorant people. I agree it was a bit of a tool move, especially to post an exploit right away. But to accuse him of committing espionage by publishing his own hard work is ridiculous.

    “Is a man not entitled to the sweat of his brow?”

  6. Google Goggles
    10

    Publishing the exploit is at best irresponsible.  Google could have published the fact that they had found a vulnerability and given it a name/ID but without giving away enough information to be of use to any woud-be hacker.  They could register this with a date and give Microsoft enough time to fix the problem before releasing any details.  They should always pre-warn Microsoft that they are about to release the details with a sufficient notice period for Microsoft to pull their finger out and produce the fix.

  7. Good On Him
    11

    Im glad he published this, Microsoft are known for sitting on these things for months anyhow, so a force of hand is required sometimes. Bet they fix it fast now. Just goes to show how quick an exploit can be addressed when the pressures on. They should be working just as fast normally if they wish to produce defective software.

  8. Oluka
    12

    Really….If Google is behind this that is totally very sad. Well….Imagine someone did the same for one of google’s technologies. Soon this will happen because in the world of programming bugs will always be there..No matter how smart of huge you are

  9. Michael
    13

    Well I’m moving to bing then, cos I dont like the possibility of Google putting this code into its website. If they’re gonna let a tos pott like him threw out code to do damage.

  10. Rob
    14

    Release the exploit, yes, but five days was too short.  You don’t just add a semicolon, recompile the code, and go home.  I can get a patch through QA and out to production in my WEB BASED software within five days, but it takes a great deal more to get patches out for every configuration of Windows that Microsoft would have to test.  Then there’s the issue of getting the patch to each and every Windows PC in the world, which could take days.  Five days was just too few.

  11. Branco
    15

    Microsoft has become a better company these days regarding the issue of exploits. The fact that there is a protocol in place to report exploits and there is a time table that is followed to address such issues in a regular basis is way better than what we had a few years ago.

    Dealing with this Microsoft as if it was the same MS of the pre-XP era is irresponsible. The guy in Google seems to be after the headlines, that’s all.

  12. Anonymous
    16

    No matter what:

    1) He should not have posted the information on how to take advantage of the vulnerability on line – sure Microsoft should ensure that vulnerabilities are patched. But to post how to hack into someone’s system is still unethical. Would Google want Microsoft to post information on how to hack into Google applications with a couple of hours notice? Did their employee try to contact Microsoft to discuss the issue he sent them on a SATURDAY? So, in reality there was only three days to handle the problem.

    2) He & Google should be held accountable – if an organization has a problem because of this – he & Google should be the ones sued.

    3) 5 days is NOT long enough

    Just becuase you are intelligent and want to toot your own horn to show people how smart you are is no reason to be unethical. .

     

  13. Quixotic
    17

    Interesting thread on the Full Disclosure list about the number of days Microsoft was given to respond before Tavis released his information. I am curious if it took Tavis more than 5 days to define and work out the details of the exploit….

    I like the Full Disclosure approach but also agree with Bruce Schneier that a researcher should give a vendor a head start on a fix.  How much is enough and how much is too much? Bruce cites CERT at 45 days, Microsoft at 30 days but offers no suggestions of his own in the essays cited by Tavis.

    Tavis obviously feels 5 days is sufficient. I’m curious what others think is an adequate head start?

    In regarding the comments Tavis made about having to collaborate with other colleagues over the problem and the time constraints likely involved, how does 15 days sound?

     

  14. Anonymous
    18

    Ok, I’ll grant you guys that he indeed move to fast but he shouldn’t be punished for that. He found an exploit, he generated some knowledge and gave it away for the community to use. We are not hacker-sitters. Of course there’s going to be people who use this information to harm someone but we are not to blame this programmer for someone else’s bad choices, the same way we don’t hold Albert Einstein responsible  for the atomic bombings of Hiroshima and Nagasaki.

  15. James
    19

    Everyone here blames “the Googler” for the exploit and publishing it but I see to Microsoft to blame – they have a reputation of NOT fixing things fast enough and having these bugs in their software.

     

    After all, if there was no problem to exploit… this issue would not be present.

     

    If I discovered a vulnerability as such I would make it public immediately.

  16. Bob B
    20

    Report was released on a Saturday. So what?! Microsoft should have been working on it round the clock from that point. Besides, “…protocol handlers are a popular source of vulnerabilities and … “hcp://” itself has been the target of attacks multiple times in the past. ” so MS should have been well underway with a fix.

    However, with that said and Google about to release its own OS, they better make sure that it is perfect – ’cause the shoe is about to be on the other foot! The old biblical adage of ‘Do unto others as you would have them do unto you.” is good advice!

  17. Anonymous
    22

    He states his motivation in followup mails to his Full Disclosure posting. He doesn’t believe in responsible disclosure.

    He should be prosecuted for putting millions of people at risk because he believes the vulnerability is in the wild. He doesn’t offer any proof whatsoever though.

    Those of you defending him have something wrong upstairs. He’s no better than the black hats in my mind. After all, he’s doing their work for them.

  18. Nothing
    23

    What an interesting concept… i mean not letting people know of the issue.

    I would rather have known the issue than not. Imagine Windows being used in a critical system, like a production plant. Nowadays, they are connected to the outside world through a gateway machine. If that gateway machine can be compromised, I’d rather shut it down and feel secured. Would you rather like not knowing it? That sounds scary to me….

    Also, for people who are in the know. They probably know this already. It is like they have a big bucket of exploits ready for the zero-day exploit.

    Now, put this into extreme case. Image this is your car, this issue will cause it to runaway…. would you rather not know it? It can get you killed?

    I would say, it is Microsoft’s responsibility to find a workaround and fix this as soon as possible. For me, 4 days is enough to know of a workaround.

  19. Anonymous
    24

    Dear lord there are some stupid people that post here. 4 days is enough to verify, code test against god knows how many different configuration and then release it?  There are too many people with no sense on reality posting on these boards.

  20. Gabe
    25

    Hey, we live in a time of competition

    I myself do not like living this way and feel it’s very destructive to our world, as well as our society.

    Yet you all continue to feel the need to compete with each other to see who is better… and at the same time want to cry and whine like little babies when someone drops the bomb on your competition and makes it harder for you…

    If you choose to compete, you’d better be ready for the competition, making silly rules about codes of conduct and other nonsense like that is just stupid… in reality, there are no breaks… unless it’s your leg.

     

  21. Marco
    26

    I’m curious ….. how is the Debian Security Team able to patch critical bugs in usually 3-4 days period? What’s wrong with them? Are they from an alien planet?

    No, they simply are really good on what they do and they understand very well that such kind of bugs must be addressed seriously, as soon as possible.

    It appears that others at Redmond are not aware of that.

    Debian Security Team is not the only example of course doing an outstanding job, OpenBSD Team is another venerable one ….. Microsoft should really learn a lot from them …. and no, 4 days is not a too short time.

  22. Dazza
    27

    The only way Microsoft seems to respond is when they are forced to!

    If Tavis hadn’t made it public then how long would it take for MS to fix. 12 months ?

    In the meantime the hackers already know of most of these holes can have a ball for 12 months or so.  At least MS will jump on this patch pretty quickly. 

    You can bet that the hackers, and Microsoft, know of many holes that are being exploted yet not publicly known!

  23. Ian Boyd
    28

    Windows XP:

    - 3 version

    - 3 service pack levels

    - 100 languages

    Gives, at a minimum, 600 variations of Windows that have to be fixed and tested. 

    You try making sure that a fix you have to create now, because some ignorant gas-bag told the world about a vulnerability earlier today.

    i don’t *want* Microsoft rushing a half-ass fixed out the door. Even after a fix has been made, and fully regression tested for 600 different products, i still don’t want the exploit details released publicly. Many installs of Windows are not updated. Some are out of support date.

    It’s better for everyone if fixes are quietly reported and fixed. If you think Microsoft sits on their hands doing nothing: then you’re not a programmer.

  24. Boogie Monster
    29

    Ian, here is some remedial math for you. If there are 3 version, 3
    SPs, and 100 languages, then that’s 900 different products (3 x 3 x
    100).

    But, if you think different languages make each version
    “different,” you are mistaken. Assuming Microsoft has a clue about
    extensibility and encapsulation, the only “difference” in each language
    version is the language pack. Whether it’s in Chinese or Bangali, all
    the underlying code of HCP (and just about everything else in the OS) is
    the same.

    So really, Microsoft only has 9 versions of XP to test against.
    No big deal when you’re a super-giant software titan with massive
    resources – likely including an entire department devoted to testing.

    Are you sure you’re a programmer?

  25. Corrector
    30

    “If you think Microsoft sits on their hands doing nothing: then you’re
    not a programmer.”

    If MS can’t fix problems quicker, than they must return to something within their reach, like planting carrots.

    Of course, as MS lackey, if MS were to plant carrots, then you would also have to plant carrots.

    “He should be prosecuted for putting millions of people at risk because he believes the vulnerability is in the wild. He doesn’t offer any proof whatsoever though.”

    And your system should be taken over with an unpublished vuln somebody was “responsibly” sitting on for months.

     

  26. Anonymous
    31

    @Corrector – You are correct. Now let’s start 0daying Google. They apparently don’t care what their employees do, so why should they care what we do? I think it’s good medicine. :)

  27. Corrector
    32

    Now let’s start 0daying Google.

    Hug? Why? Do you understand what I wrote? Do you understand anything?

  28. Anonymous
    33

    Ya you don’t like the idea of being vulnerable for months on end because Tavis may not have told us. So let’s 0day google. Let’s find the vulns and then tell all the hackers how to use the vulns. I don’t want to be vulnerable, so let’s hack google. They can’t complain anymore. :)

  29. taviso
    34

    I can’t believe the double moral Google has. And this guy releasing this JUST because he wants a bit more of fame, in the name of “protecting users”.

    I think Tavis should go to the shrink or buy a “get a self-esteem today” book and stop bothering people in the name of security. You are famous now, Tavis. Congrats.

  30. antihacker101
    36

    if you wanna know what i experienced  with all the worms and hackinngs  that has grown grown tensions for both google and microsot, i can surely tell ya that  they are scared

    i would be to if busted in the situation they created. that soon will be revieled

     

     

    i say that microsoft is the guilty from day 1 to now, and just like google got busted and guilty as charged, they are practly admiting to whats about to kill another part of the companys,

     

     

     

     

     

     

  31. Anonymous
    37

    IIRC, it wasn’t that Microsoft didn’t fix it in 5 days, it was that they didn’t respond to him at all for 5 days. There’s a difference.

  32. Rick
    38

    Is it bad to find out the exploit through legtimate sources and have it on all the web news portals mere hours afterwards?    Or is it better to discover it 6 months later and your machine gets wiped clean or filled with junk because of a known exploit that Microsoft sat on because they had no incentive to fix?

  33. Matt
    39

    Several posters here don’t understand the implication of punishing somebody who publicly posts vulnerabilities like this on the web.  If security professionals were constantly afraid of being sued, there wouldn’t be any potential for release of this info.  At that point, only the people creating the malicious software would know the exploits, while the os manufacturer sat on their hands until they felt like fixing the problem.

    Wake up folks, it is no secret that windows XP is outdated and ill-maintained.  If users expect any sort of upper-tier security from an old windows os, they are fooling themselves.

    That said, 5 days is a very short period of time for a large company to package and distribute a fix, but talk about lighting a fire under Microsoft.  You should all thank this guy for getting his hands dirty, because in the end, it gets > 90% of XP users access to the fix much faster than if he hadn’t went public.

  34. Anonymous
    41

    I agree that these vulnerabilities should  be published to “push” microsoft along but 4 days? theres a difference between “sitting” on the problem and shoving it down their throat.  Fix’ing these issues takes some time and 4 days is just unreasonable.  Perhaps after 30 days it would be reasonable but this is just irresponisble.

  35. Ty@Casinomastersguide.com
    42

    I hope that google os’s  will take window’s place.

    I just love google

  36. Jim
    43

    I’m glad this was released in this way. Microsoft has known about this vulnerability for almost a year now, and still no patch. The only reason they haven’t patched it, because it isn’t worth their time to.

    It is getting old when small time security professionals try to get bugs fixed and they are sued into oblivion. I mean, how sad is that when it is cheaper to sue someone than it is to fix the problem?

  37. ComeTryYah
    44

    What if someone anonymous found a new found an exploit, and for whatever reason, couldn’t contact Microsoft, or was being ignored?

    What if further, they were _not_ a follower of any security lists. And therefore has no clue of the “gentleman’s agreement” the security community (for the most part) seems to have. What if the only place he could find to post something was full disclosure, or on his/her own website?

    What if you start holding Joe 6-Pack accountable if they find something and say it? Pretty soon your going to have a chilling effect and drive everyone underground. Who want’s to be sued, for sharing an exploit they didn’t create?

    If anything there isn’t enough transparency. These exploits are not rocket science, nor are they “classified state secrets. ”

    Or maybe your one of the ones who want a Token ID for everyone on an already spied web?

    Look I can go to http://www.microsoft.com/security/default.aspx
    and where do I see a place to submit and exploit. I don’t see it. I have to dig around more I guess.

    Maybe I am in a hurry…
    http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=report+exploit
    Still no luck..

    http://www.google.com/search?q=report+exploit
    Ahhh .. there we go… starting to get some food Cert seems to keep their stuff up top, but what if we don’t trust DHS?

    What if I personally know someone at Microsoft, and HATE dealing with them, because of the past? Then what? Sue the messenger?

    This is a Microsoft failure. Their security LOGIC is flawed. Let’s compare to a fighter aircraft shall we. There are scheduled inspections, scheduled maintenance, and there are unscheduled maintenance, like say an engine overheat light on a console.

    Microsoft has chosen to have “scheduled maintenance” only. I remember the day they did it, promising they were going to do all so much better on security. The only thing I seen since then is the removal of the FTP http://ftp.microsoft.com for patches, the introduction Active X Denial of Service for updates, then shortly after WGA forcing updates through a specific browser, less and less up front information about what is going on, a complete scramble of any static links. No buddy, don’t blame this on google, when your left engine fails and you need to “punch out. ”

Comments are closed.