Google researcher gives Microsoft 5 days to fix XP zero-day bug

Other security experts question motives of hair-trigger publication

A Google engineer today published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware.

But other security experts objected to the way the engineer disclosed the bug -- just five days after it was reported to Microsoft -- and said the move is more evidence of the ongoing, and increasingly public, war between the two giants.

Microsoft said it is investigating the vulnerability and would have more information on its next steps later today.

According to Tavis Ormandy, a security engineer who works for Google in Switzerland, hackers can leverage a flaw in Windows' Help and Support Center, which lets users easily access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC.

Ormandy posted details of the vulnerability and proof-of-concept attack code to the Full Disclosure security mailing list early Thursday. "Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user," Ormandy wrote.

According to Ormandy, his attack scenario works using all major browsers, including Microsoft's newest, IE8. The bug is even easier to exploit when the machine has Windows Media Player, software that's installed by default with all versions of Windows.

Ormandy also said he had come up with a way to suppress a warning prompt that Windows XP displays when the Help and Support Center is called, making the attack stealthier.

His attack is complicated, and requires several tricks, including bypassing a whitelist meant to limit the accessed help documents to legitimate support files; using a cross-site scripting vulnerability; and then executing a malicious script.

But his attack code works. Researchers at French security vendor Vulpen Security confirmed today that Ormandy's proof-of-concept works as advertised on Windows XP Service Pack 2 (SP2) and SP3 machines running Internet Explorer 7 or IE8.

Switching to another browser, such as Mozilla's Firefox or Google's Chrome, is not a solution, Ormandy maintained. "Machines running [a] version of IE less than [IE]8 are, as usual, in even more trouble ... [but] choice of browser, mail client or whatever is not relevant, they are all equally vulnerable," he said.

Ormandy admitted that he reported the vulnerability to Microsoft only five days ago -- on Saturday, June 5 -- but said he decided to go public because of its severity, and because he believed Microsoft would have otherwise dismissed his analysis.

"If I had reported the ... issue without a working exploit, I would have been ignored," he said in the Full Disclosure posting.

He also slammed the concept of "responsible disclosure," a term that Microsoft and other vendors apply to bug reports that are submitted privately, giving developers time to craft a patch before the information is publicly released.

"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy said. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers."

Microsoft took Ormandy to task for giving it less than a week to deal with his report. "We are especially concerned about the public disclosure of this issue given we were only notified about it by this researcher on the 5th of June," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an e-mail this morning.

Others were even blunter.

"Google can't have its cake and eat it, too," said Robert Hansen, the CEO of SecTheory. A noted security researcher -- in 2008, he and Jeremiah Grossman, chief technology officer at WhiteHat Security, made headlines when they revealed details about browser "clickjacking" attacks -- Hansen scolded Google, Ormandy's employer, for claiming that the company abides by responsible disclosure when its security researchers do not.

"Their researchers are going off half-cocked," said Hansen, who deplored Ormandy's quick publication of the vulnerability and attack code. "It just doesn't add up."

Hansen went even further, and said a case could be made that Ormandy's fast trigger could be part of the battles between Google and Microsoft. "It sounds to me like Google was upset about the publicity over its decision to drop Windows, the 'use anything but Microsoft' thing. Google got a lot of backlash from the security community over that, because it doesn't matter what OS you use."

Earlier this month Google and Microsoft traded shots over a report that Google was urging its workers to dump Windows over security concerns. Security analysts said the charge was bogus.

"This stinks of retribution," said Hansen. "If Google really goes by responsible disclosure, they should fire Ormandy today." Hansen noted that Ormandy credited other Google security researchers for their help and linked to a Google blog on browser security in his message on Full Disclosure. "You shouldn't do that if you want to disassociate yourself from your employer."

That's impossible, argued Andrew Storms, director of security operations at nCircle Security. "[As a security researcher] you can't really separate your work from your employer. So you have to wonder if [Ormandy[] isn't intentionally feeding the feud between Google and Microsoft."

Like Hansen, Storms questioned Ormandy's decision to reveal his findings just five days after he reported the vulnerability to Microsoft. "You can't say in this case that the vendor was sitting on their hands, not being responsive, which is why researchers usually go public, to force [a vendor's] hand.

"This is no better than not reporting it to Microsoft," concluded Storms.

Hansen, who acknowledged that he has worked for Microsoft as a security consultant on several projects, weighed in again. "The whole thing rubbed me the wrong way," he said.

Ormandy did not respond to a request for comment on Hansen's accusations.

Others knocked Ormandy for offering up a unsanctioned fix. In his note on Full Disclosure, Ormandy recommended moves that users could take until a patch is ready, including a link to what he described as an "unofficial (temporary) hotfix."

But Secunia said the patch didn't work. "It is possible to bypass the fix implemented by the unofficial hotfix and still exploit the vulnerability," claimed the Danish vulnerability tracking firm in a blog post Thursday .

Microsoft agreed with Secunia. "The mitigations [Ormandy] presented may not be effective, so he has really put both our customers and the customers of his employer at risk," said the MSRC's Bryant.

Microsoft's next regularly-scheduled security updates will ship July 13. Storms, for one, doesn't think Microsoft will have a fix finished by then. "They probably already have all the patches for July in QA by now," said Storms. "I don't think it's feasible that they could have something ready in time."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftGooglewindows xp

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?