- About Future
- Digital Future
- Cookies Policy
- Terms & Conditions
- Investor Relations
- Contact Future
Microsoft has acknowledged that it is aware of a zero-day vulnerability in the HCP protocol. It learned about the threat on June 5, 2010 from Google security engineer Tavis Ormandy, who barely waited four more days before making the details of the threat public, complete with his proof-of-concept exploit code.
Microsoft took a dim view of Ormandy’s eagerness to make a public disclosure. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” wrote Mike Reavey, director of the Microsoft Security Response Center, in a blog post.
Reavey also criticized Ormandy for not being thorough in his analysis: “It turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.”
The vulnerability is known to affect Windows XP and Windows Server 2003 only. Microsoft is currently working on a fix. In the interim, users can protect themselves by unregistering the HCP protocol as described in Microsoft Security Advisory 2219475.