Microsoft is warning Windows XP and Server 2003 users that exploit code has been posted online showing attackers how to break into these operating systems remotely via a newly-discovered security flaw.
The vulnerability has to do with a weakness in how Windows Help and Support Center processes links. Both Windows XP and Server 2003 retrieve help and support information from a fixed set of Web pages that are included on a whitelist maintained by Windows. But Google security researcher Tavis Ormandy last week showed the world that it was possible to add URLs to that whitelist.
Microsoft said an attacker could exploit this flaw by tricking a user into clicking a specially crafted link. Any files fetched by that link would be granted the same privileges as the affected system’s current user, which could spell big problems for XP users browsing the Web in the operating system’s default configuration — using the all-powerful “administrator” account.
“Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” Microsoft said in a statement released last week.
I have frequently urged XP users to create and use a limited user account for everyday computing, and to use the administrator account only for occasional updates and other tinkering that can’t be done as a regular user. While more malware these days is being configured to run even in limited user accounts (the ZeuS and Clampi Trojans, to name a couple), a limited account will block a large number of attacks, and should prevent user-level infections from becoming system-wide infestations that are more challenging to clean up.
Google’s Ormandy, who has privately alerted Microsoft to a large number of security flaws he found in the company’s products over the years, indicated he was releasing the details of this bug publicly just five days after alerting Microsoft in an effort to force Microsoft to patch the flaw more quickly than it would have otherwise.
“I’ve concluded that there’s a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security,” Ormandy wrote. “Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.”
Ormandy included a “hotfix” tool designed to help XP and Server 2003 users mitigate the threat from this vulnerability until Microsoft releases a patch for it. For its part, Microsoft claims Ormandy’s hotfix doesn’t protect users.
“Unfortunately it is ineffective at preventing the vulnerable code from being reached and can be easily bypassed,” Microsoft said in a post on its Security Research & Defense blog. “We recommend not counting on the Google hotfix tool for protection from the issue.”
Microsoft said it is working on a patch to plug this security hole, and that in the meantime affected users may wish to disable the vulnerable component. That process, detailed in the “Workarounds” section of this advisory, involves “unregistering” or deleting an entry from the Windows Registry. Note that this can be a dicey affair for novice users, because one wrong move can cause serious stability and bootup problems. That said, as registry hacks go, this one is pretty simple.
In any case, Microsoft says its workaround may cause legitimate links that use the Windows Help and Support Center format (hcp:// as opposed to http://) to break, and that for example links in the Windows Control Panel might cease to function. I tested Microsoft’s workaround on my dummy XP system and didn’t run into any problems, and found no problems navigating any of the Control Panel links. Your mileage may vary.
Related Posts: Firm To Release Database and Web Server 0days