Google researcher gives Microsoft 5 days to fix XP zero-day bug

Other security experts question motives of hair-trigger publication

A Google engineer today published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware.

But other security experts objected to the way the engineer disclosed the bug -- just five days after it was reported to Microsoft -- and said the move is more evidence of the ongoing, and increasingly public, war between the two giants.

Microsoft said it is investigating the vulnerability and would have more information on its next steps later today.

According to Tavis Ormandy, a security engineer who works for Google in Switzerland, hackers can leverage a flaw in Windows' Help and Support Center, which lets users easily access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC.

Ormandy posted details of the vulnerability and proof-of-concept attack code to the Full Disclosure security mailing list early Thursday. "Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user," Ormandy wrote.

According to Ormandy, his attack scenario works using all major browsers, including Microsoft's newest, IE8. The bug is even easier to exploit when the machine has Windows Media Player, software that's installed by default with all versions of Windows.

Ormandy also said he had come up with a way to suppress a warning prompt that Windows XP displays when the Help and Support Center is called, making the attack stealthier.

His attack is complicated, and requires several tricks, including bypassing a whitelist meant to limit the accessed help documents to legitimate support files; using a cross-site scripting vulnerability; and then executing a malicious script.

But his attack code works. Researchers at French security vendor Vulpen Security confirmed today that Ormandy's proof-of-concept works as advertised on Windows XP Service Pack 2 (SP2) and SP3 machines running Internet Explorer 7 or IE8.

Switching to another browser, such as Mozilla's Firefox or Google's Chrome, is not a solution, Ormandy maintained. "Machines running [a] version of IE less than [IE]8 are, as usual, in even more trouble ... [but] choice of browser, mail client or whatever is not relevant, they are all equally vulnerable," he said.

Ormandy admitted that he reported the vulnerability to Microsoft only five days ago -- on Saturday, June 5 -- but said he decided to go public because of its severity, and because he believed Microsoft would have otherwise dismissed his analysis.

"If I had reported the ... issue without a working exploit, I would have been ignored," he said in the Full Disclosure posting.

He also slammed the concept of "responsible disclosure," a term that Microsoft and other vendors apply to bug reports that are submitted privately, giving developers time to craft a patch before the information is publicly released.

"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy said. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers."

Microsoft took Ormandy to task for giving it less than a week to deal with his report. "We are especially concerned about the public disclosure of this issue given we were only notified about it by this researcher on the 5th of June," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an e-mail this morning.

Others were even blunter.

"Google can't have its cake and eat it, too," said Robert Hansen, the CEO of SecTheory. A noted security researcher -- in 2008, he and Jeremiah Grossman, chief technology officer at WhiteHat Security, made headlines when they revealed details about browser "clickjacking" attacks -- Hansen scolded Google, Ormandy's employer, for claiming that the company abides by responsible disclosure when its security researchers do not.

"Their researchers are going off half-cocked," said Hansen, who deplored Ormandy's quick publication of the vulnerability and attack code. "It just doesn't add up."

Hansen went even further, and said a case could be made that Ormandy's fast trigger could be part of the battles between Google and Microsoft. "It sounds to me like Google was upset about the publicity over its decision to drop Windows, the 'use anything but Microsoft' thing. Google got a lot of backlash from the security community over that, because it doesn't matter what OS you use."

Earlier this month Google and Microsoft traded shots over a report that Google was urging its workers to dump Windows over security concerns. Security analysts said the charge was bogus.

"This stinks of retribution," said Hansen. "If Google really goes by responsible disclosure, they should fire Ormandy today." Hansen noted that Ormandy credited other Google security researchers for their help and linked to a Google blog on browser security in his message on Full Disclosure. "You shouldn't do that if you want to disassociate yourself from your employer."

That's impossible, argued Andrew Storms, director of security operations at nCircle Security. "[As a security researcher] you can't really separate your work from your employer. So you have to wonder if [Ormandy[] isn't intentionally feeding the feud between Google and Microsoft."

Like Hansen, Storms questioned Ormandy's decision to reveal his findings just five days after he reported the vulnerability to Microsoft. "You can't say in this case that the vendor was sitting on their hands, not being responsive, which is why researchers usually go public, to force [a vendor's] hand.

"This is no better than not reporting it to Microsoft," concluded Storms.

Hansen, who acknowledged that he has worked for Microsoft as a security consultant on several projects, weighed in again. "The whole thing rubbed me the wrong way," he said.

Ormandy did not respond to a request for comment on Hansen's accusations.

Others knocked Ormandy for offering up a unsanctioned fix. In his note on Full Disclosure, Ormandy recommended moves that users could take until a patch is ready, including a link to what he described as an "unofficial (temporary) hotfix."

But Secunia said the patch didn't work. "It is possible to bypass the fix implemented by the unofficial hotfix and still exploit the vulnerability," claimed the Danish vulnerability tracking firm in a blog post Thursday .

Microsoft agreed with Secunia. "The mitigations [Ormandy] presented may not be effective, so he has really put both our customers and the customers of his employer at risk," said the MSRC's Bryant.

Microsoft's next regularly-scheduled security updates will ship July 13. Storms, for one, doesn't think Microsoft will have a fix finished by then. "They probably already have all the patches for July in QA by now," said Storms. "I don't think it's feasible that they could have something ready in time."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

This story, "Google researcher gives Microsoft 5 days to fix XP zero-day bug" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey 2021: The results are in