Microsoft confirms critical Windows XP bug
Help Center flaw is Microsoft's eighth zero-day this year
Computerworld - Microsoft on Thursday confirmed that Windows XP and Windows Server 2003 contain an unpatched bug that could be used to infect PCs by duping users into visiting rigged Web sites or opening attack e-mail.
The company said it has seen no active in-the-wild attacks exploiting the vulnerability.
The bug in Windows' Help and Support Center -- a component that lets users access and download Microsoft help files from the Web -- doesn't properly parse the "hcp" protocol handler, Microsoft said in an advisory issued Thursday afternoon. Attackers can leverage the vulnerability by enticing users to malicious or hacked Web sites, or by convincing them to open malformed e-mail messages.
Windows Vista, Windows 7, Windows Server and Windows Server 2008 R2 are not vulnerable to the attack.
Microsoft plans to produce a patch, but has not set a release date. "Microsoft is currently working to develop a security update for Windows to address this vulnerability," the advisory stated. July 13 is Microsoft's next scheduled Patch Tuesday, but it sometimes issues patches outside its monthly plan. The last time it did so was in late March when it fixed a bug in Internet Explorer that attackers were aggressively exploiting.
The advisory was prompted by the bug's disclosure early Thursday , and the release of proof-of-concept attack code. Tavis Ormandy, a security engineer who works for Google in Switzerland, defended the decision to reveal the flaw only five days after reporting it to Microsoft. But Microsoft and other researchers questioned the quick publication.
Microsoft made no distinction between Ormandy and his employer in a blog post Thursday.
"This issue was reported to us on June 5, 2010 by a Google security researcher and then made public less than four days later, on June 9, 2010," said Mike Reavey, the director of the Microsoft Security Response Center (MSRC). "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk."
According to the time stamp on Ormandy's message to the Full Disclosure mailing list, he posted it at 1:46 a.m. Swiss time on June 10, or 4:46 p.m. PT on June 9.
The two companies have traded blows this year that have included public arguments about the quality of each other's software suites -- Google Docs and Microsoft Office -- and about reports that Google wants to phase out Windows inside the company over security concerns.
Some security researchers blasted Ormandy for going public when Google's policy is to not reveal a bug until the affected vendor has a chance to fix the flaw. "Google can't have their cake and eat it too," said Robert Hansen, the CEO of SecTheory, in an interview yesterday.
Ormandy declined to comment when contacted by e-mail. In a message on Twitter late Thursday, however, he said, "The HelpCtr bug today was intended as a personal project. It sucks that work has been dragged into it."
The Help and Support Center vulnerability was the eighth zero-day -- the term used to describe a threat for which there is no patch -- that Microsoft has faced so far this year, according to data provided by Andrew Storms, the director of security operations at nCircle Security.
Six of those vulnerabilities have been patched, with fixes released an average of 43 days after Microsoft acknowledged the bug. The fastest turnaround was seven days for an emergency IE patch Microsoft closed in January. Hackers had exploited the bug to break into Google's corporate network. The longest cycle so far this year was 125 days.
Last year, Microsoft handled 10 zero-days, also patching them in an average of 43 days, with a shortest time-to-fix of eight days and a longest of 151 days.
"Despite the fact that Microsoft has made progress in getting researchers to report vulnerabilities, they're not immune to zero-days," said Storms.
At the current pace, Microsoft will have to deal with 18 zero-days during 2010, nearly double the number in 2009.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts