InformationWeek SMB: Microsoft Scrambles To Fix New Security Vulnerability
The vulnerability, which exploits linking to the Microsoft Help Center and could effect other software, including e-mail, can be fixed by disabling the HCP Protocol. That breaks all links to the Help Center, however. Microsoft may issue a patch separate from its regular monthly security updates.
“Microsoft was left racing to patch a Windows Help and Support Center vulnerability after Tavis Ormandy, an information security researcher who’s charged with keeping Google’s products secure, Thursday publicly disclosed both the bug as well as proof-of-concept attack code.
Ormandy reportedly informed Microsoft of the vulnerability on Saturday, June 5, and Microsoft acknowledged receipt the same day. Five days later, however, Ormandy went public with a posting to the Full Disclosure mailing list. Later that day, Microsoft issued its own vulnerability announcement.”