A Google engineer today published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware.
But other security experts objected to the way the engineer disclosed the bug -- just five days after it was reported to Microsoft -- and said the move is more evidence of the ongoing, and increasingly public, war between the two giants.
Microsoft said it is investigating the vulnerability and would have more information on its next steps later today.
According to Tavis Ormandy, a security engineer who works for Google in Switzerland, hackers can leverage a flaw in Windows' Help and Support Center, which lets users easily access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC.
Ormandy posted details of the vulnerability and proof-of-concept attack code to the Full Disclosure security mailing list early Thursday. "Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user," Ormandy wrote.
According to Ormandy, his attack scenario works using all major browsers, including Microsoft's newest, IE8. The bug is even easier to exploit when the machine has Windows Media Player, software that's installed by default with all versions of Windows.
Ormandy also said he had come up with a way to suppress a warning prompt that Windows XP displays when the Help and Support Center is called, making the attack stealthier.
His attack is complicated, and requires several tricks, including bypassing a whitelist meant to limit the accessed help documents to legitimate support files; using a cross-site scripting vulnerability; and then executing a malicious script.
But his attack code works. Researchers at French security vendor Vulpen Security confirmed today that Ormandy's proof-of-concept works as advertised on Windows XP Service Pack 2 (SP2) and SP3 machines running Internet Explorer 7 or IE8.
Switching to another browser, such as Mozilla's Firefox or Google's Chrome, is not a solution, Ormandy maintained. "Machines running [a] version of IE less than [IE]8 are, as usual, in even more trouble ... [but] choice of browser, mail client or whatever is not relevant, they are all equally vulnerable," he said.
Ormandy admitted that he reported the vulnerability to Microsoft only five days ago -- on Saturday, June 5 -- but said he decided to go public because of its severity, and because he believed Microsoft would have otherwise dismissed his analysis.
"If I had reported the ... issue without a working exploit, I would have been ignored," he said in the Full Disclosure posting.
He also slammed the concept of "responsible disclosure," a term that Microsoft and other vendors apply to bug reports that are submitted privately, giving developers time to craft a patch before the information is publicly released.
"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy said. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers."
Microsoft took Ormandy to task for giving it less than a week to deal with his report. "We are especially concerned about the public disclosure of this issue given we were only notified about it by this researcher on the 5th of June," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an e-mail this morning.
Others were even blunter.