Attacks on unpatched Windows XP vulnerability increase rapidly

Attacks on an unpatched flaw in Windows XP have increased recently, says Microsoft.

Microsoft issued a Security Advisory on June 10, warning of an unpatched vulnerability in the Windows Help and Support Center function in Windows XP. The flaw affects Windows XP SP2 and SP3 and could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Google's senior security researcher, Tavis Ormandy, notified Microsoft about the flaw at the beginning of June. Days later Ormandy published proof of concept code, saying "without a working exploit, I would have been ignored."

Proof-of-concept exploit code for the vulnerability is now being used by hackers, who have started using it broadly. Holly Stewart, Microsoft Malware Protection Center, said over 10,000 distinct computers have reported seeing the attack at least one time. Hackers initially began targetting systems on June 15 but in limited numbers. "In the past week, however, attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution", said Stewart.

Microsoft says the only current work around to the issue is to Unregister the HCP Protocol which disables hcp:// style links. The software giant is currently working on a fix and may provide an out-of-cycle security update, depending on customer needs. Security experts Secunia currently rate the issue as highly critical.

Image Credit: Microsoft.com

Report a problem with article
Previous Story

Internet Explorer gains usage share globally in June

Next Story

Teaser trailer for "The Social Network" released

62 Comments

Commenting is disabled on this article.

why are people debating who's right and who's wrong?

its 2010 and seems like people just can't live with the fact that ALL softwares comes with bugs. Microsoft might be wrong for not patching it up, but the google engineer is definite having a very bad professional ethics. being a google engineer, he should very much know that there is such thing as SDLC and no organization will promise a definite date to patch bugs up. releasing bug exploit information out to the wild just because Microsoft doesn't follow his demands clearly shows how naive he is and he should be condemned by the industry.

Service and error reporting were disabled after install on this xp/'nix box. Just checked to make sure. What operating system has a longer support life than XP? Beta and RC tested 7, and with 8 in the pipeline, and my XP extended support going until 2014, you do the math....maybe if I was gaming...

"Ormandy published proof of concept code, saying "without a working exploit, I would have been ignored.""

Says it all right there - doesn't it?...
Ormandy wanted attention -- and since MS didn't come running to give him a gold star or three, Ormandy decided to get even, hoping for & achieving a moment of fame [or infamy] in the process. I find myself hoping more than ever that there is indeed such a thing as Karma. ;-)

Jongwe said,
Linux has more exploits than any windows version.

Even if this were true, who wants to attack Linux when it has like negative market share? [/sarcasm]

Jongwe said,
Linux has more exploits than any windows version.

Exploits and "usable" exploits are too different things. Linux isn't NEARLY as vulnerable as Windows. Vista and especially Win7 went a long way to fix the gap, but Linux is far better when it comes to security.

Wow. Read through the comments on that thread. The google engineer and the others on that security research list are a bunch of A-1 *******s. I know of no other way to describe the way they communicated on that thread. It's pathetic.

nowimnothing said,
Wow. Read through the comments on that thread. The google engineer and the others on that security research list are a bunch of A-1 *******s. I know of no other way to describe the way they communicated on that thread. It's pathetic.
Jesus, you're right. It's like watching kids in a playground.

Especially considering the sexist, bigoted remarks directed towards Susan Bradley.

I love the mixture of replies on here, you can spot the bedroom CTO's from the corporate IT specialists a mile off.
Most large enterprise class companies will still be using WinXP, it may be 8yrs old but given Vista was rubbish and many are waiting for Win7 SP1. The marketing people are pushing for everyone to upgrade asap but the realities of problems in an corporate IT dept are a different matter. Bespoke apps compatibility etc. Some of the fanboys need to calm down

Youngy said,
I love the mixture of replies on here, you can spot the bedroom CTO's from the corporate IT specialists a mile off.
Most large enterprise class companies will still be using WinXP, it may be 8yrs old but given Vista was rubbish and many are waiting for Win7 SP1. The marketing people are pushing for everyone to upgrade asap but the realities of problems in an corporate IT dept are a different matter. Bespoke apps compatibility etc. Some of the fanboys need to calm down

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

Field Commander A9 said,

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

This. But IT pros are still hesitant to upgrade (a million guesses why). Hell, I could slap Win 7 on my work PC right now and have absolutely no problem accessing our Samba servers, print servers, email servers, blah blah blah or using any of our proprietary software.

Field Commander A9 said,

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

Actually, in a word, No.
Not all apps work in 7, nor does all hardware, & if/once you've tried XP VMs, then you're well aware of their limitations, like no support for the real hardware you bought/need/use.

I've liked/used 7 since early betas, & [shame on me] I even like Vista. I believe Mac & *nix OSes have their good points too. But there are many times & tasks where it's more convenient to boot into XP, and good or bad, several situations where that's my only option. Until I can do everything I want/need in 7 [or 8, or 9 etc], arguing that XP's obsolete is irrelevant. ;?P

Field Commander A9 said,

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

SP1 is more about RemoteFX, enabling 3D graphics on remote desktop and so on.

Youngy said,
I love the mixture of replies on here, you can spot the bedroom CTO's from the corporate IT specialists a mile off.
Most large enterprise class companies will still be using WinXP, it may be 8yrs old but given Vista was rubbish and many are waiting for Win7 SP1. The marketing people are pushing for everyone to upgrade asap but the realities of problems in an corporate IT dept are a different matter. Bespoke apps compatibility etc. Some of the fanboys need to calm down

Saying Vista is rubbish lets the rest know what kind of person you are.

Vista was pretty good actually, it was a good upgrade to winXP, and your one of the idiot bandwagoneers.

How does it feel to be a puppet?

Kelvin Reed said,
i would like to see everyone go to Linux and screw Microsoft over

If the linux kernel had a monopoly, it might be bad for competition. Then again, Microsoft and Apple could create OSs using linux. I wonder if things would be better if that happened....

Kelvin Reed said,
i would like to see everyone go to Linux and screw Microsoft over

I would like to see everyone go to the beautiful Windows 7 Ultimate and screw fugly OSes like XP and Ubuntu over.

pezzonovante said,

I would like to see everyone go to the beautiful Windows 7 Ultimate and screw fugly OSes like XP and Ubuntu over.

because an operating systems is all about appearances

DDStriker said,

because an operating systems is all about appearances


To some thats all that matter. Why do you think Windows gained such huge popularity over other OS's? Because it had the best GUI. Everytime someone came out with something with a slightly better UI, wether it be in appearance or functionality, MS seemed to beat them. The only real competitor was Apple but we all know how that turned out...

Kelvin Reed said,
i would like to see everyone go to Linux and screw Microsoft over

Fantastic, but this article has nothing to do with Linux.

Conjor said,

To some thats all that matter. Why do you think Windows gained such huge popularity over other OS's? Because it had the best GUI. Everytime someone came out with something with a slightly better UI, wether it be in appearance or functionality, MS seemed to beat them. The only real competitor was Apple but we all know how that turned out...
Apple had a GUI before DOS, yet it didn't win. The Mac had a better-looking interface than Windows 1.x-3.x.

Your statement doesn't hold water. Let me see you justify how McDonalds burgers are the best in the world because of the volume they sell.

Now *that*, I would be interested to see!

Kelvin Reed said,
i would like to see everyone go to Linux and screw Microsoft over

Why? Why the hate? Did some MS salesperson take your girl? Why dont you just use Linux and let other people choose what they want?

Kelvin Reed said,
i would like to see everyone go to Linux and screw Microsoft over

I would love to see average people compile tarballs. And code their own drivers. Would be fantastic.

LiquidSolstice said,

I would love to see average people compile tarballs. And code their own drivers. Would be fantastic.

If you use Gentoo Linux, you will never need to do that. The package manager handles that behind the scenes for you.

Field Commander A9 said,

negatory
xp was first out in 2001

Yup retail was 2001 but beta development started in 1999 (Last Century)

from my post up there:
"You clearly don't get that many schools and huge businesses still run XP. Why should they upgrade all that? Do you seriously know how much that would cost?"

Baked said,

Yup retail was 2001 but beta development started in 1999 (Last Century)

XP comes from the same development tree als every other windows, even Windows 7 comes out the developement tree where WinXP was spawned from.

It basicly started in the 80s already, if your going to look at it like that.

If I opened the proof on concept page in IE8 in Windows 7, MSSE still flagged this. Although it was able to remove it quickly! Does this mean the vulnerability isn't only on Windows XP? it could affect all PC's using IE if the page is visited?

djdanster said,
If I opened the proof on concept page in IE8 in Windows 7, MSSE still flagged this. Although it was able to remove it quickly! Does this mean the vulnerability isn't only on Windows XP? it could affect all PC's using IE if the page is visited?
No, the vuln is only on XP. MSE will detect the page regardless, but it'll only affect XP users because it's only XP with the specific vuln in its support system.

/- Razorfold said,
Wasn't it a Google engineer that released the exploit code, in the guise of "responsible disclosure?"

Good job you idiot.

Blaming Google for exploits? Interesting.

It seems that the "bad guys" have plenty of tools already, and the people RESPONSIBLE are the user/admins that don't keep updated.

But that is just my silly take.

markjensen said,
Blaming Google for exploits? Interesting.

Nope. A google engineer released the exploit code 4 days after reporting the issue to MS because he felt they wouldn't take him seriously. Before the exploit code was published, nobody cared / knew about it and no attacks were taking place.

It seems that the "bad guys" have plenty of tools already, and the people RESPONSIBLE are the user/admins that don't keep updated.

Theres no patch available for this, only a temporary workaround. If the engineer had used some common sense and not made the code public, the number of attack would have been far far far less. But instead, now anyone with an IQ of 50 can figure out how to use the exploit..

Microsoft was aware of the problem before Google's report of code. The fact that he released the code 5 days later is not entirely relevant. The code was (obviously) out there already, as it was in-use.

Would Microsoft have acted quickly without the Google release? Who knows, but as old as XP is, I can see how many would doubt it.

No need to act like the exploit didn't EXIST before the Google disclosure.

markjensen said,
Microsoft was aware of the problem before Google's report of code. The fact that he released the code 5 days later is not entirely relevant. The code was (obviously) out there already, as it was in-use.

Would Microsoft have acted quickly without the Google release? Who knows, but as old as XP is, I can see how many would doubt it.

No need to act like the exploit didn't EXIST before the Google disclosure.

And where did you get that idea from? It was the same Google engineer that found the exploit, reported it to Microsoft and then released the exploit code.

There was ABSOLUTELY no need to release the code publicly, if he wanted to prove that an exploit was possible he could have simply made the code available to MS only. He chose to exercise bad judgment and release the code and he should be the one to take the blame of what happens after, not MS.

And no the code wasn't in use before it was made public, and nor was the exploit even rated moderately critical. Now that has all changed.

Mark is right, MSFT was aware of the issue before Google reported it. However, I'm not sure the code was publicly available prior to the engineer making it available. Attacks were very limited in the first week of disclosure so I'd doubt it was available before.

The Google engineer, IIRC, attempted to negotiate a 60-day window for MS to patch the flaw; they said no.
So, the Google engineer had a choice of letting the bug go on unpatched for a few more years while MS sat on it, or do something about it. Irresponsible? Perhaps. Unforgivably so? No way.

markjensen said,
Blaming Google for exploits? Interesting.

It seems that the "bad guys" have plenty of tools already, and the people RESPONSIBLE are the user/admins that don't keep updated.

But that is just my silly take.

You don't understand. Microsoft mistake goes to leaving this exploit open on SP3, and Google mistake was to release the exploit and make it public before MS can take care of it. Thats bad business and tells you a lot how Google takes security on others.

Tom W said,
Mark is right, MSFT was aware of the issue before Google reported it. However, I'm not sure the code was publicly available prior to the engineer making it available. Attacks were very limited in the first week of disclosure so I'd doubt it was available before.
It was *available*, because it was used. It could not be used if it wasn't known. It may not have been publicly available, but it surely existed, and was used.

Pulgafree said,
You don't understand. Microsoft mistake goes to leaving this exploit open on SP3, and Google mistake was to release the exploit and make it public before MS can take care of it. Thats bad business and tells you a lot how Google takes security on others.
Who's the responsible one for Microsoft security in your picture? I'll give you one guess, and here's a hint: it's not Google.

/- Razorfold said,
Wasn't it a Google engineer that released the exploit code, in the guise of "responsible disclosure?"

Good job you idiot.

Eff Google, I would NOT trust them with anything.

/- Razorfold said,
Wasn't it a Google engineer that released the exploit code, in the guise of "responsible disclosure?"

Good job you idiot.

Reporting the issue, and then disclosing it is pretty common practice. In the server admin world pretty much everyone monitor's sites like securityfocus for this sort of thing. Most companies can and will act immediately on said reports, but, releases usually aren't instant. Administrators will commonly patch things themselves until an official release is out.

As for responsible disclosure, he's absolutely right in doing so. It's not like this guy emailed a group of hackers. I'm sure makers of any number of security suites for windows likely use these sorts of disclosures to protect their clients until official patches come out.

He did as he should have, reported it officially, waited, and upon sign of nothing being done -- made it public.

GarretN said,

Reporting the issue, and then disclosing it is pretty common practice. In the server admin world pretty much everyone monitor's sites like securityfocus for this sort of thing. Most companies can and will act immediately on said reports, but, releases usually aren't instant. Administrators will commonly patch things themselves until an official release is out.

As for responsible disclosure, he's absolutely right in doing so. It's not like this guy emailed a group of hackers. I'm sure makers of any number of security suites for windows likely use these sorts of disclosures to protect their clients until official patches come out.

He did as he should have, reported it officially, waited, and upon sign of nothing being done -- made it public.


This makes Google such a trustworthy company, releasing security holes.
Doesnt matter what the reason is.
Google shows a huge lack of respect here.

Shadowzz said,

This makes Google such a trustworthy company, releasing security holes.
Doesnt matter what the reason is.
Google shows a huge lack of respect here.
Google didn't release the HOLE!

The hole was in Microsoft's software. And there were bad guys ALREADY using it.

Although waiting 5 days from official private disclosure to Microsoft to public release was a bit too soon, in my opinion, the fact is that the exploit was already in use. It wasn't exactly a secret.