New zero day flaw hits Windows XP and 2003

A British researcher has identified a zero day flaw affecting users of Windows XP, 2003 and possibly other Windows systems as well.

Researcher Tavis Ormandy found the flaw in a component of the Windows Help and Support Centre which is accessed via the protocol handler ‘hcp://'. By correctly exploiting it an attacker could gain complete user access to any PC running the vulnerable operating system.

“At least Microsoft Windows XP, and Windows Server 2003 are affected. The attack is enhanced against IE less than 8 and other major browsers if Windows Media Player is available, but an installation is still vulnerable without it,” he wrote on the Full Disclosure mailing list.

“Machines running version of IE less than 8 are, as usual, in even more trouble. In general, choice of browser, mail client or whatever is not relevant, they are all equally vulnerable.”

Ormandy alerted Microsoft to the problem on June 5 and his submission was logged and acknowledged. But the fact that he published a full analysis of the flaw, a working exploit and a suggested workaround four days later has drawn a sharp rebuke from Microsoft.

“Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” said Mike Reavey, director of Microsoft's Security Research Centre in a blog posting.

He said that as far as the company was aware the flaw was not currently being exploited and those systems running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to the flaw.

Part of the problem is that the workaround Ormandy suggests, unregistering the hcp protocol, will shut down key parts of the operating system.

“This workaround will disable all local, even legitimate help links that use hcp://. For example links in the Control Panel may no longer function,” said Wolfgang Kandek, chief technical at Qualys .

“Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full vs. responsible disclosure.”

Microsoft is not alone in criticising the move, as Ormandy, a Briton living in Switzerland, said on his Twitter feed.

“I believe in f-d[full disclosure], but making enemies of people I truly respect may not have been my smartest decision ever :-( Not all bad feedback though,” he posted.

This is not the first time Ormandy has released exploit data before a patch is ready. In April he published on a flaw in Java that Oracle was declining to patch.