Microsoft Warns of XP Help Function Security Flaw

Microsoft has identified a potential security risk in the Help function of Windows XP. But there is some controversy over the way the issue has come to light.

This bug involves XP's Help and Support Center, and specifically a style of link which routes a browser to a help page built into Windows rather than a web page. Such links begin hcp:// rather than the more familiar http:// and are a way of making it easier to give online help and advice by allowing writers to include smooth links to Windows' own help pages.

Whitelist Help Pages Spoofed

Tavis Ormandy, an information security engineer for Google, says he's found a security hole. In theory any click on an hcp:// link checks the target page against a "whitelist" of genuine help pages to make sure links can't be used to route users to malicious content.

Ormandy says that by following a particular process, which is admittedly somewhat complex, a would-be hacker could get round this whitelist check and trick the users into running the malicious content. It appears that the issue could be exploited in any web browser, but is a higher risk if using Internet Explorer.

Microsoft Gets Five Day Headstart

Google's Ormandy has now published details of the problem, and how it could be exploited, on a security website known as Full Disclosure. That's not gone down well with everyone, as the posting came just five days after Ormandy informed Microsoft about the issue.

Microsoft requests that people in the security industry operate a policy dubbed "responsible disclosure" by which they do not publicize details of security flaws until Microsoft has a full fix in place. Of course, there's no way for Microsoft to enforce that request, and some researchers argue that it's in the public interest to get details out as soon as possible.

Ormandy argues that he needed to discuss the bug with other security researchers so that he could find a way to prove that it really could be exploited; without such proof, he believes his report would not have been compelling enough for Microsoft to take any notice (partly because it deals with so many potential bugs).

However, according to Ormandy, such discussion would have been impossible if he stuck to Microsoft's disclosure policies. (Source: seclists.org)

Microsoft is investigating fixes to the bug. In the meantime it has published details of how users can disable the hcp:// link feature if they are concerned about potential abuses. (Source: microsoft.com)