Google researcher uncovers Microsoft Support flaw
By Nicole Kobie
Posted on 11 Jun 2010 at 09:17
A Google researcher has raised debate about how to responsibly disclose security flaws, after revealing how to take advantage of a hole in Windows Help and Support Centre.
Google security researcher Tavis Ormandy warned Microsoft of the flaw on Saturday, but just five days later took it public, releasing a proof of concept for the exploit code on the Full Disclosure mailing list.
This is another example of the problems with bug secrecy - or in PR speak, 'responsible disclosure'
Microsoft has since acknowledged the flaw, which affects the Windows Help and Support Centre functions in Windows XP and Windows Server 2003. It doesn't appear to affect any other operating system.
While the exploit works regardless of the browser being used, older versions of Internet Explorer running Media Player are most vulnerable.
Despite the flaw being made public, Microsoft said it had not yet seen any attacks.
Responsible disclosure?
Ormandy claimed that he had to publish the details of the flaw, as "without a working exploit, I would have been ignored."
"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure'), those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots," Ormandy claimed.
Microsoft disagreed, saying that the software vendor who created the code "is in the best position" to understand and fix a flaw.
"While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented," said security centre director Mike Reavey in a post on the Microsoft blog. "In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems."
Microsoft has offered its own workaround on its security site, and is working on creating a patch to fix the flaw.
From around the web
"the actual workaround Google suggested is easily circumvented"
Yes, if I had a pound for every time a user told me what the error in the software was - well, I wouldn't get to the Med but it'd be a pleasant evening in the pub!
Is it me, is it Friday or does this sound like "Look at me, I've found an error!"
By AdrianB on 11 Jun 2010 
Well, yeah but they actually have found an error there. The fix they suggest may not be absolutely perfect but he's identified a real issue.
By steviesteveo on 12 Jun 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
