Microsoft, users say Google security researcher put Windows customers at risk

Microsoft offers workaround to negate Windows XP and Windows Server 2003 flaw

Microsoft accused a Google security researcher of putting Windows customers at risk of "broad attacks" by publishing code that exploits a zero-day vulnerability.

As reported by Gregg Keizer of Computerworld, Google security engineer Tavis Ormandy "posted details of the vulnerability and proof-of-concept attack code," in a move that was controversial because he had only notified Microsoft a few days beforehand.

Microsoft's Mike Reavey, director of the Microsoft Security Response Center, wrote a blog post Thursday afternoon criticizing Ormandy. 

"This issue was reported to us on June 5th, 2010 by a Google security researcher and then made public less than four days later, on June 9th, 2010," Reavey wrote. "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk."

Reavey said Microsoft has "initiated our emergency response process" to tackle the issue, but in the meantime offered a workaround that should keep customers safe.  Microsoft has released Security Advisory 2219475 which offers details on several workarounds.

The vulnerability affects Windows XP and Windows Server 2003. So far, Microsoft says it isn't aware of any attacks based on the vulnerability. Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not at risk to this particular vulnerability. 

Customers can prevent attacks by unregistering the HCP protocol within Windows, Reavey said, while warning that doing so "will break all local, legitimate help links that use hcp://."

The steps for unregistering the HCP protocol are as follows:

  1. Click Start, and then click Run.
  2. Type regedit, and then click OK.
  3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
  4. Right-click the HCP key, and then click Delete.

Ormandy's attack is a complicated one, Keizer reports:

"His attack is complicated, and requires several tricks, including bypassing a whitelist meant to limit the accessed help documents to legitimate support files; using a cross-site scripting vulnerability; and then executing a malicious as advertised on Windows XP Service Pack 2 (SP2) and SP3 machines running Internet Explorer 7 or IE8."

But his attack code works. Researchers at French security vendor Vulpen Security confirmed today that Ormandy's proof-of-concept 

Some are not amused at what appears to be Ormandy's half-hearted attempt at working with Microsoft before going public. Comments from readers of the site where Ormandy published his attack code have been nasty. One, identified as Susan Bradley wrote:

"So here's my question back to you, for my education, how exactly did MSRC contact you back? Since June 5th have you tried emailing back or any of your contacts from past interactions and asked what was up? I'm disappointed in this lack of communication I see on both sides. You are ...well... Tavis Ormandy... I seriously doubt MSRC is blowing you off here. Keep in mind we just had a LARGE patch week to deal with ..."

Update 06-11-10: Ormandy now claims he was acting alone, and not under Google's direction, but most believe Google is simply performing damage control.

Is five days a fair enough time slot of warning? Is Microsoft's public response reasonable, or over the top?

(Julie Bort contributed to this post)

Follow Jon Brodkin on Twitter. 

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022