New vulnerability in Windows revealed

An independent security researcher has published exploit code for a zero-day vulnerability in...

An independent security researcher has published exploit code for a zero-day vulnerability in Windows XP and Windows 2003.

Tavis Ormandy published the advisory five days after reporting the vulnerability to Microsoft.

"Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user," he said.

The decision to use full disclosure for this vulnerability will revive the discussions around full versus responsible disclosure, said Wolfgang Kandek, chief technology officer at security firm Qualys.

Ormandy defended the decision, saying: "I ha've concluded that there is a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security."

In the advisory, Ormandy calls for increased pressure on Microsoft to invest in developing processes for faster responses to external security reports.

The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler "hcp://".

It can be triggered through all major browsers, particularly if Windows Media Player is available. Ormandy says the vulnerability is easiest to exploit under Internet Explorer 7 (IE7).

Ormandy provides sample exploit code for both IE8 and IE7 in the advisory.

As a work-around for the vulnerability, it is possible to de-register the HCP protocol on the target machine, said Wolfgang Kandek.

But the workaround will disable all local - even legitimate - help links that use the HCP protocol.

"For example, links in the Control Panel may no longer function," said Kandek.

Guide to workaround

1. From the Start Menu, select Run

2. Type regedit then click OK (The registry editor program launches)

3. Expand HKEY_CLASSES_ROOT and highlight the HCP key

4. Right mouse click on the HCP key, and select Delete

Read more on IT risk management