Google engineer Tavis Ormandy, a bug hunter known for finding kernel-level operating system coding errors, has released details about a serious zero-day vulnerability in Windows XP that could leave an open hole for a remote attacker.
The flaw is contained in the Windows Help and Support Center, a Web-based feature providing technical support to end users. In an advisory posted by Ormandy this week on the Full Disclosure mailing list, Ormandy explained the severity of the flaw and also released proof-of-concept code demonstrating how it works. The researcher said the error resides within the protocol handler within the support tool, which whitelists Web-based support documents.
"This design, introduced in SP2, is reasonably sound," he wrote. "A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded."
A successful cross-site scripting (XSS) attack can be carried out remotely and enable an attacker to execute code and take complete control of a victim's machine. The exploit works in Windows XP and Windows Server 2003 using many major browsers, including Internet Explorer 8, according to Ormandy.
The proof-of-concept uses Windows Media Player 9 to exploit the error. The media player is available by default in Windows XP. Other versions of the media player can also be used, he wrote.
"A real attack would barely be noticable to the victim," Ormandy wrote. "Perhaps the only unavoidable signal would be the momentary appearance of the Help Center window before the attacker hides it."
Microsoft issued a statement Thursday admonishing Ormandy for disclosing details about the vulnerability so quickly. In the Microsoft Security Response Center Blog, Microsoft's Mike Reavey director of the MSRC, said the vulnerability was reported on June 5, giving engineers only three days to determine the severity of the issue and investigate further.
"Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk," Reavey said.
Reavey said the vulnerability is limited to Windows XP and Windows Server 2003. So far no active attacks have been reported in the wild.
In addition, Microsoft issued an advisory late Thursday outlining the Windows Help and Support Center vulnerability, In the advisory, the software giant didn't rule out an out-of-cycle patch.
As a workaround, Microsoft urged users to unregister the HCP protocol to protect against an attack. The workaround has been used successfully in similar vulnerabilities in the past. By default, the protocol is permitted to use the Help and Support Center feature.