A Google security researcher Tavis Ormandy has discovered a vulnerability in the Windows Help Centre, which is the default application provided to access online documentation for Microsoft Windows.
Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”, a typical example is provided in the Windows XP Command Line Reference and the complete details have been documented by him here.
This issue was reported by him to Microsoft on June 5th, 2010. He then went on to make it public less than four days later, on June 9th, 2010.
Public disclosure of the details of this vulnerability and how to exploit it, without giving Microsoft time to resolve the issue, now makes broad attacks more likely and puts Windows XP users at risk!
Users running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this issue, or at risk of attack.
One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems, said Microsoft.
It is unfortunate, nay irresponsible, that the security researcher decided to go public without giving Microsoft time to patch it up; thereby exposing a number of Windows users to this vulnerability!
Customers can follow guidance in Security Advisory 2219475 to protect against this issue.