Google security researchers reported the vulnerability to Microsoft on June 5, and publicly released information about the flaw and how it might be used in attacks on June 9.
Microsoft is obviously cranky at Google for the public disclosure, as evidenced by their snarky entry within their Microsoft Security Response Center blog posting:
As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of - and work to exploit - a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.
No exploits in the wild have been publicly reported, and its Microsoft's hope that this remains the case while a fix is developed. The suggested workaround is to unregister the HCP protocol.
This isn't the first time flaws in Microsoft's help center have been reported. Thankfully, the vulnerability is not present in Vista and Windows 7 on the client side, or Server 2000 and Server 2008.
Don't expect an out-of-band patch for this one, unless widespread attacks begin popping up.
No comments:
Post a Comment
Please tell me what you think.