Article

Google bug hunter discovers serious Windows XP flaw

Robert Westervelt, News Director

Google engineer Tavis Ormandy, a bug hunter known for finding kernel-level operating system coding errors, has released details about a serious zero-day vulnerability in Windows XP that could leave an open hole for a remote attacker.

    Requires Free Membership to View

A real attack would barely be noticable to the victim ... Perhaps the only unavoidable signal would be the momentary appearance of the Help Center window before the attacker hides it.
Tavis Ormandy
engineerGoogle

The flaw is contained in the Windows Help and Support Center, a Web-based feature providing technical support to end users. In an advisory posted by Ormandy this week on the Full Disclosure mailing list, Ormandy explained the severity of the flaw and also released proof-of-concept code demonstrating how it works. The researcher said the error resides within the protocol handler within the support tool, which whitelists Web-based support documents.

"This design, introduced in SP2, is reasonably sound," he wrote. "A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded."

A successful cross-site scripting (XSS) attack can be carried out remotely and enable an attacker to execute code and take complete control of a victim's machine. The exploit works in Windows XP and Windows Server 2003 using many major browsers, including Internet Explorer 8, according to Ormandy.

Microsoft Updates:
Microsoft emphasizes three critical updates on patch-heavy Tuesday: During a Patch Tuesday full of almost a dozen bulletins and 34 vulnerabilities, Microsoft told customers to focus especially on three critical updates.

The proof-of-concept uses Windows Media Player 9 to exploit the error. The media player is available by default in Windows XP. Other versions of the media player can also be used, he wrote.

"A real attack would barely be noticable to the victim," Ormandy wrote. "Perhaps the only unavoidable signal would be the momentary appearance of the Help Center window before the attacker hides it."

Microsoft issued a statement Thursday admonishing Ormandy for disclosing details about the vulnerability so quickly. In the Microsoft Security Response Center Blog, Microsoft's Mike Reavey director of the MSRC, said the vulnerability was reported on June 5, giving engineers only three days to determine the severity of the issue and investigate further.

"Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk," Reavey said.

Reavey said the vulnerability is limited to Windows XP and Windows Server 2003. So far no active attacks have been reported in the wild.

In addition, Microsoft issued an advisory late Thursday outlining the Windows Help and Support Center vulnerability, In the advisory, the software giant didn't rule out an out-of-cycle patch.

As a workaround, Microsoft urged users to unregister the HCP protocol to protect against an attack. The workaround has been used successfully in similar vulnerabilities in the past. By default, the protocol is permitted to use the Help and Support Center feature.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: