Thursday, June 10, 2010

Vulnerability in Microsoft Windows Help and Support Function

In the wake of a patch Tuesday that put forth fixes for 34 flaws, Microsoft has issued Security Advisory 2219475 for a publicly-released vulnerability in the help and support center function of Windows XP and Windows Server 2003. Successful exploit could result in remote code execution.

Google security researchers reported the vulnerability to Microsoft on June 5, and publicly released information about the flaw and how it might be used in attacks on June 9.

Microsoft is obviously cranky at Google for the public disclosure, as evidenced by their snarky entry within their Microsoft Security Response Center blog posting:

As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of - and work to exploit - a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

No exploits in the wild have been publicly reported, and its Microsoft's hope that this remains the case while a fix is developed. The suggested workaround is to unregister the HCP protocol.

This isn't the first time flaws in Microsoft's help center have been reported. Thankfully, the vulnerability is not present in Vista and Windows 7 on the client side, or Server 2000 and Server 2008.

Don't expect an out-of-band patch for this one, unless widespread attacks begin popping up. 

No comments:

Post a Comment

Please tell me what you think.