Google employee publishes 0-day Windows vulnerability
- Transfer
A security specialist from Google behaved extraordinarily by publishing technical details of the Windows Help and Support Center vulnerability, without giving Microsoft time to release the patch.
Vulnerability caused by incorrect processing of URIs with hcp: // protocol could allow remote code execution.
Ormandy, who, incidentally, had recently acted in a similar way, forcing Oracle to urgently tackle a dangerous vulnerability in Sun Java, now posted the exploit code only five days later than it announced its discovery at Microsoft.
In his letter, Ormandy noted that protocol handlers often contain vulnerabilities, and recalled that the hcp: // protocol itself has been attacked more than once. This made him publish before the patch was released:
At Microsoft Security Center, Ormandy’s actions are not impressed. MSRC Director Mike Reavey claims that Microsoft became aware of the issue on June 5, 2010 (Saturday), and then it was published less than four days later. “Publishing the details of this vulnerability, as well as instructions for using it, without providing us with the proper time to solve the problem, increases the likelihood of large-scale attacks, thereby increasing the risk to the end user.” He also emphasized that the interim solution proposed by Ormandy was inadequate .
Rivi confirms that the vulnerability affects only Windows XP and Windows Server 2003, all other versions of Windows this problem does not affect. Microsoft is expected to soon release a security recommendation with a workaround.
In the meantime, users of affected versions of Windows can deregister the HCP protocol as follows by removing the HKEY_CLASSES_ROOT / HCP key from the registry.
Attention, deregistration of the HCP protocol will render all real help links using hcp: // inoperative. For example, links to the Control Panel may no longer work.
Translator's note: After a Microsoft joke , these Google actions do not seem so villainous, do they? Just a friendly joke.
Vulnerability caused by incorrect processing of URIs with hcp: // protocol could allow remote code execution.
Ormandy, who, incidentally, had recently acted in a similar way, forcing Oracle to urgently tackle a dangerous vulnerability in Sun Java, now posted the exploit code only five days later than it announced its discovery at Microsoft.
In his letter, Ormandy noted that protocol handlers often contain vulnerabilities, and recalled that the hcp: // protocol itself has been attacked more than once. This made him publish before the patch was released:
I believe that there is a high probability that crackers have already studied this component, so the publication of this information is in the best interests of global security. I recommend that those of you who have a lot of support contact express your wish for an early Microsoft response to a variety of security reports.
At Microsoft Security Center, Ormandy’s actions are not impressed. MSRC Director Mike Reavey claims that Microsoft became aware of the issue on June 5, 2010 (Saturday), and then it was published less than four days later. “Publishing the details of this vulnerability, as well as instructions for using it, without providing us with the proper time to solve the problem, increases the likelihood of large-scale attacks, thereby increasing the risk to the end user.” He also emphasized that the interim solution proposed by Ormandy was inadequate .
One of the main reasons why we and many other software manufacturers claim that publication should be approached with responsibility is that only the manufacturer of the product can fully understand the cause and find the source of the problem. Although the find of the researcher from Google was important, it turns out that the analysis was incomplete, and the temporary solution proposed by Google is easy to get around. In some cases, it’s worth spending a little more time on a thoughtful solution that cannot be overcome and that does not spoil the quality of the product
Rivi confirms that the vulnerability affects only Windows XP and Windows Server 2003, all other versions of Windows this problem does not affect. Microsoft is expected to soon release a security recommendation with a workaround.
In the meantime, users of affected versions of Windows can deregister the HCP protocol as follows by removing the HKEY_CLASSES_ROOT / HCP key from the registry.
Attention, deregistration of the HCP protocol will render all real help links using hcp: // inoperative. For example, links to the Control Panel may no longer work.
Translator's note: After a Microsoft joke , these Google actions do not seem so villainous, do they? Just a friendly joke.