Print
Microsoft has acknowledged that it is aware of a zero-day vulnerability in the HCP protocol. It learned about the threat on June 5, 2010 from Google security engineer Tavis Ormandy, who barely waited four more days before making the details of the threat public, complete with his proof-of-concept exploit code.
Microsoft took a dim view of Ormandy’s eagerness to make a public disclosure. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” wrote Mike Reavey, director of the Microsoft Security Response Center, in a blog post.
Reavey also criticized Ormandy for not being thorough in his analysis: “It turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.”
The vulnerability is known to affect Windows XP and Windows Server 2003 only. Microsoft is currently working on a fix. In the interim, users can protect themselves by unregistering the HCP protocol as described in Microsoft Security Advisory 2219475.
Comments are closed on this article
k11k
June 11, 2010 at 8:50am
Man with all the hate google throwing at MS, it sure is hard not to see the fact that they are working on a OS also and is probaly a prehype for them to make it seems that MS is less secure and everybody should move to thier OS once it out(Same as Apple attack at MS).
Neon Samurai
June 11, 2010 at 4:59am
Because of your responsible public disclosure, I and a much wider range of users can be aware of the issue and mitigate it's risk until Microsoft eventually gets around to providing a patch. With out it, all we would have it Microsoft's quiet information release and a greater majority of users left wide open to this threat.
To all the other security researchers out there; Thank You. It's far better that you find and publicize exploitable bugs in products rather those with criminal intent (there is a word for them.. but it's not the one that starts with H).
(now I gotta go update my Metasploit and see if it's in there yet ;) )
I Jedi
June 10, 2010 at 10:26pm
Yeah, I have to admit that Google's recent attitude towards Microsoft is beginning to piss me off. Not only have they bashed Windows for having security flaws, which was just a basic coverup story for wanting to switch to Linux/Mac, but now they're trying to discredit Microsoft's advances towards protecting users by publicly showing this zero-day exploit. Google's motto is obviously "Don't be evil."; however, I'm really getting a weird vibe from them lately, that I normally never feel...
Keith E. Whisman
June 10, 2010 at 8:47pm
I'm all for free speech and freedom of the press but there should be laws with guidelines for when an entity can divulge security sensitive information to the public. If an entity discovers a flaw that is a potential software or hardware security threat, and that entity wishes to make it public, it should be law that, that entity must be prepared to prove that they made ever effort to notify the effected party(s) and there should be a set period of time from initial notification before the security threat is made public. Violators of this law should be held accountable to the affected party and all the customers that were harmed be the security vulnerabilities being divulged earlier that what the law allows.
By looking at what I just wrote I can tell that such a law would consist of some 10,000 pages like the health care reform law and Obamas initial economic stimulus bill.
I Jedi
June 10, 2010 at 7:22pm
I have to admit that the Google engineer in question should honestly have waited. Four whole days is sometimes not enough to come up with a patch for something as serious as a zero-day vulnerability problem. Google has had a recent string of outlashes, that quite frankly are making me more and more upset with them as the weeks go by.
Vernak
June 10, 2010 at 7:34pm
It wasnt just a "Google engineer," Jedi. It was a Google security engineer. They should know better. Period. If they were reporting this vulnerability as professional courtesy or for the good of the End-Users, they would have sent Microsoft their code as an addendum to their initial description. I agree with you, Jedi, in regards to the recent chain of outlashes and missteps by Google.
Neon Samurai
June 11, 2010 at 5:15am
I didn't see where it said that proof of concept was intentionally withheld from the initial report to Microsoft. If the POC was developed after the report then Microsoft had access too it just like everyone else did with the announcement.
In terms of security, the problem with what product developers call "responsible disclosure" is usually "don't tell no body 'till we get around to it.. if we decide it's embarrassing enough to fit fixing it into our budget". The end users are most at risk in general and are always last to be made aware of those risks. You can bet that Google's researcher was not the only person to discover this. If it's not in active use, it's definitely sitting in some criminal's 0day collection and now less effective only because of the public disclosure. Consider GSM which has been easily broken for half a decade. The phone companies knew. The criminals knew. The mobile phone consumers didn't have a chance of finding out until a security researcher went public with it (after several attempts to get phone companies to fix the issue).
Public disclosure reduces the number of exploitable targets by informing end users so they can mitigate it until a patch is available.
(The clock started June 5th... tic tic tic tic Microsoft)
(edit) I meant to add that what's good for the goose is good for the gander. Google, Apple and the rest should equally be held publicly accountable for patches when vulnerabilities are discovered. It's not about sticking it to eveeil Microsoft but about informed end users.
