Google researcher gives Microsoft 5 days to fix XP zero-day bug
Other security experts question motives of hair-trigger publication
Computerworld - A Google engineer today published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware.
But other security experts objected to the way the engineer disclosed the bug -- just five days after it was reported to Microsoft -- and said the move is more evidence of the ongoing, and increasingly public, war between the two giants.
Microsoft said it is investigating the vulnerability and would have more information on its next steps later today.
According to Tavis Ormandy, a security engineer who works for Google in Switzerland, hackers can leverage a flaw in Windows' Help and Support Center, which lets users easily access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC.
Ormandy posted details of the vulnerability and proof-of-concept attack code to the Full Disclosure security mailing list early Thursday. "Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user," Ormandy wrote.
According to Ormandy, his attack scenario works using all major browsers, including Microsoft's newest, IE8. The bug is even easier to exploit when the machine has Windows Media Player, software that's installed by default with all versions of Windows.
Ormandy also said he had come up with a way to suppress a warning prompt that Windows XP displays when the Help and Support Center is called, making the attack stealthier.
His attack is complicated, and requires several tricks, including bypassing a whitelist meant to limit the accessed help documents to legitimate support files; using a cross-site scripting vulnerability; and then executing a malicious script.
But his attack code works. Researchers at French security vendor Vulpen Security confirmed today that Ormandy's proof-of-concept works as advertised on Windows XP Service Pack 2 (SP2) and SP3 machines running Internet Explorer 7 or IE8.
Switching to another browser, such as Mozilla's Firefox or Google's Chrome, is not a solution, Ormandy maintained. "Machines running [a] version of IE less than [IE]8 are, as usual, in even more trouble ... [but] choice of browser, mail client or whatever is not relevant, they are all equally vulnerable," he said.
Ormandy admitted that he reported the vulnerability to Microsoft only five days ago -- on Saturday, June 5 -- but said he decided to go public because of its severity, and because he believed Microsoft would have otherwise dismissed his analysis.
"If I had reported the ... issue without a working exploit, I would have been ignored," he said in the Full Disclosure posting.
He also slammed the concept of "responsible disclosure," a term that Microsoft and other vendors apply to bug reports that are submitted privately, giving developers time to craft a patch before the information is publicly released.
"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy said. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers."
Microsoft took Ormandy to task for giving it less than a week to deal with his report. "We are especially concerned about the public disclosure of this issue given we were only notified about it by this researcher on the 5th of June," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an e-mail this morning.
Others were even blunter.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts