Google employee publishes Windows 0-day vulnerability

A security specialist from Google behaved unusually by publishing technical details of the vulnerability of the Windows Help and Support Center, without giving Microsoft time to release a patch.



Vulnerability caused by incorrect handling of URIs with the hcp: // protocol may allow remote execution of arbitrary code.



Ormandy, who, incidentally, had recently acted in this way, forcing Oracle to urgently address the dangerous vulnerability in Sun Java, now posted the exploit code only five days later than it reported on its find to Microsoft.

')

In his letter, Ormandy noticed that protocol handlers often contain vulnerabilities, and recalled that the hcp: // protocol itself was repeatedly attacked. This forced him to publish before the release of the patch:

I believe that there is a high probability that hackers have already studied this component, therefore, the publication of this information is in the best interests of general security. I recommend that those of you who have a lot of contact with customer support express your wish for a prompt Microsoft response to various security reports.

In the Microsoft security center, the actions of Ormandy are not impressed. MSRC director, Mike Rivi (Mike Reavey) claims that Microsoft became aware of the June 5, 2010 issue (Saturday), and then it was published less than four days later. “Publication of the details of this vulnerability, as well as instructions for its use, without giving us adequate time to solve the problem, increases the likelihood of large-scale attacks, thereby increasing the risk for the end user.” He also stressed that the temporary solution proposed by Ormandi is inadequate .

One of the main reasons why we and many other software vendors claim that publication should be approached with responsibility is that only the manufacturer of the product can fully understand the reason and find the source of the problem. Although the finding of a Google researcher was important, it turns out that the analysis was incomplete, and the temporary solution proposed by Google is easy to get around. In some cases, it is worth spending a little more time on a thoughtful solution that cannot be overcome, and which does not spoil the quality of the product

Rivi confirms that the vulnerability affects only Windows XP and Windows Server 2003, this problem does not affect all other versions of Windows. It is expected that Microsoft will soon issue a security recommendation with a temporary solution.



In the meantime, users of affected versions of Windows can deregister the HCP protocol as follows by deleting the HKEY_CLASSES_ROOT / HCP key from the registry



Attention, deregistration of the HCP protocol will render all real links in the help, using hcp: //, inoperable. For example, links to the Control Panel may no longer work.



Translator's note: After Microsoft’s jokes , these Google actions don't seem so villainous, do they? Just a friendly joke.