Researchers bypass Microsoft to report Windows flaws

Researchers last week described some issues that possibly affect the security of Windows systems and their components.

The Wintercore blog on Tuesday pointed to a memory leak problem associated with the MSHTML.DLL library file used with Internet Explorer 8 on 32-bit and 64-bit versions of Windows XP, Windows Vista and Windows 7. The blog describes the flaw as a zero-day vulnerability that is "not so critical [to fix] but interesting."

No fix is described in the Wintercore blog, and Microsoft hasn't commented on the possible flaw. Apparently, the Wintercore researcher is working outside of Microsoft's "responsible disclosure" (or private reporting) guidelines, which seems to have caused frustration among some researchers.

For instance, a group calling itself the "Microsoft-Spurned Researcher Collective" published a Full Disclosure report on Wednesday about a possible vulnerability in Windows Vista and Windows Server 2008. The report says that the "NtUserCheckAccessForIntegrityLevel" process is affected and it prompted Microsoft to fix a registry key setting. Security firm Secunia also noted the warning, deeming it "less critical" to fix.

The Microsoft-Spurned Researcher Collective uses a name that mocks that of the Microsoft Security Response Center, which also shares the "MSRC" acronym. The collective issued a statement criticizing Microsoft's response to Tavis Ormandy, a security researcher who works for Google. Ormandy publicized a Windows help function flaw just five days after revealing it to Microsoft. The disclosure put "customers at risk," according to Microsoft. However, the collective suggested that it would freely disclose other such flaws in a public manner.

"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the Full Disclosure report states. "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Microsoft issued a security advisory last month about the Windows help flaw, which affects Windows XP-based systems. Later, after the disclosure by Ormandy, Microsoft said that the flaw was being actively exploited. On June 30, Microsoft stated in a blog post that exploit attempts had become more sophisticated and that more than 10,000 attacks had been attempted between June 15 and June 29.

Security firm Symantec noted last week that a sophisticated attack has been discovered that taps into the Windows help flaw. The attack targeted two unnamed defense contractors using bogus e-mails to get users to visit a malicious Web page and download malware.

Those using Microsoft's security solutions have had protection from the Windows XP help flaw since June 10, according to Microsoft's blog. "We'll continue to monitor this situation and provide updates as appropriate," the Microsoft security team stated. Possibly, Microsoft could issue a fix during this month's security update, scheduled for Tuesday, July 13.

Meanwhile, Secunia this week pointed to a buffer overflow problem in the Windows MFC42.DLL library that may be a "moderately critical" security issue. It affects Windows 2000 Professional Service Pack 4 and Windows XP SP2/SP3. A known attack vector for this vulnerability, which can enable remote code execution attacks, is the PowerZip version 7.2 Build 4010 program, according to Secunia.

Microsoft may issue a patch for MFC42.DLL, but it might be the last one issued for these operating systems since support will be expiring. Windows 2000 and Windows XP SP2 will no longer get security updates after July 13, 2010. A Microsoft Twitter post stated that Microsoft is currently investigating the MFC42.DLL matter.

Lastly, Secunia cited security researcher Soroush Dalili's report of a flaw in Microsoft Internet Information Services 5.1 running on Windows XP SP3. Secunia describes the vulnerability as "moderately critical" to fix, and states that users can avoid it by not relying on "the basic authentication method [of IIS 5.1] to restrict access to resources."

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including Redmondmag.com, RCPmag.com and MCPmag.com.

Reader Comments

Thu, Jul 8, 2010 Blogger

If GM produced a car with a systemic error, it would be reported to consumer groups and agencies other then GM who would have the power to require GM to fix the problem. Perhaps we need a consumer agency that looks over Microsoft's collective shoulder to keep the public safe. Reporting problems to the company at least gives them an opportunity to voluntarily fix the problem. Grousing in a blog serves little purpose. It should not be the consumer's only recourse.

Thu, Jul 8, 2010

Despite what one feels about MS, vulnerabilities should be reported to them, confidentially. Many businesses use Windows products so those who disclose hurt these folks as well. Let us still be ethical.

Thu, Jul 8, 2010 Gary Garbers Toledo Ohio

For these itiots to disclose information about vulnerabilities and even proof of concept code is a big problem for IT. Google is not being very responsible keeping this kind of person in their employ. This group is just another anti-Microsoft group out to hurt us, the IT community. These people should be prosecuted as tech terrorists!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above