Attacks on unpatched Windows XP vulnerability increase rapidly

Attacks on an unpatched flaw in Windows XP have increased recently, says Microsoft.

Microsoft issued a Security Advisory on June 10, warning of an unpatched vulnerability in the Windows Help and Support Center function in Windows XP. The flaw affects Windows XP SP2 and SP3 and could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Google's senior security researcher, Tavis Ormandy, notified Microsoft about the flaw at the beginning of June. Days later Ormandy published proof of concept code, saying "without a working exploit, I would have been ignored."

Proof-of-concept exploit code for the vulnerability is now being used by hackers, who have started using it broadly. Holly Stewart, Microsoft Malware Protection Center, said over 10,000 distinct computers have reported seeing the attack at least one time. Hackers initially began targetting systems on June 15 but in limited numbers. "In the past week, however, attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution", said Stewart.

Microsoft says the only current work around to the issue is to Unregister the HCP Protocol which disables hcp:// style links. The software giant is currently working on a fix and may provide an out-of-cycle security update, depending on customer needs. Security experts Secunia currently rate the issue as highly critical.

Image Credit: Microsoft.com

Report a problem with article
Previous Story

Internet Explorer gains usage share globally in June

Next Story

Teaser trailer for "The Social Network" released

62 Comments

View more comments

Youngy said,
I love the mixture of replies on here, you can spot the bedroom CTO's from the corporate IT specialists a mile off.
Most large enterprise class companies will still be using WinXP, it may be 8yrs old but given Vista was rubbish and many are waiting for Win7 SP1. The marketing people are pushing for everyone to upgrade asap but the realities of problems in an corporate IT dept are a different matter. Bespoke apps compatibility etc. Some of the fanboys need to calm down

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

Field Commander A9 said,

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

This. But IT pros are still hesitant to upgrade (a million guesses why). Hell, I could slap Win 7 on my work PC right now and have absolutely no problem accessing our Samba servers, print servers, email servers, blah blah blah or using any of our proprietary software.

Field Commander A9 said,

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

Actually, in a word, No.
Not all apps work in 7, nor does all hardware, & if/once you've tried XP VMs, then you're well aware of their limitations, like no support for the real hardware you bought/need/use.

I've liked/used 7 since early betas, & [shame on me] I even like Vista. I believe Mac & *nix OSes have their good points too. But there are many times & tasks where it's more convenient to boot into XP, and good or bad, several situations where that's my only option. Until I can do everything I want/need in 7 [or 8, or 9 etc], arguing that XP's obsolete is irrelevant. ;?P

Field Commander A9 said,

7 is already stable enough now, no need waiting for sp1.
and u can always use virtual xp for old apps that no longer gets updated.

SP1 is more about RemoteFX, enabling 3D graphics on remote desktop and so on.

Youngy said,
I love the mixture of replies on here, you can spot the bedroom CTO's from the corporate IT specialists a mile off.
Most large enterprise class companies will still be using WinXP, it may be 8yrs old but given Vista was rubbish and many are waiting for Win7 SP1. The marketing people are pushing for everyone to upgrade asap but the realities of problems in an corporate IT dept are a different matter. Bespoke apps compatibility etc. Some of the fanboys need to calm down

Saying Vista is rubbish lets the rest know what kind of person you are.

Vista was pretty good actually, it was a good upgrade to winXP, and your one of the idiot bandwagoneers.

How does it feel to be a puppet?

Quick Reply said,
Why the XP hate? It is a brilliant Operating System and it took Microsoft almost 8 years to finish a solution that is even feasible to replace Windows XP. During this time, no competitor product (Linux, Mac OS, etc.) even came close to stealing market share from Windows XP. People would rather pirate Windows XP then to use something else that was free. Organisations who "switched" to Linux would find that the users would take it upon themselves to set up a second machine running XP which they would use instead. This is a testament to why XP still has a place in our IT Systems.

ppl use xp coz they'r accustomed to it. and it provides a consistent env for both working in office and playing at home, which linux didn't do well:
rhel is in every way a very good enterprise os but sucks to use at home, Ubuntu is again a very good home os but lacks the needed manageabilities to become a corperate os. and the feel of the two are so different that u have to adjest for each of them individually.
but with xp(and 7, which is even better) u got a consistent experience for what ever u do -- be it work or play. that, imo, is the extra mile that linux still didn't make.

Field Commander A9 said,

ppl use xp coz they'r accustomed to it. and it provides a consistent env for both working in office and playing at home, which linux didn't do well:
rhel is in every way a very good enterprise os but sucks to use at home, Ubuntu is again a very good home os but lacks the needed manageabilities to become a corperate os. and the feel of the two are so different that u have to adjest for each of them individually.
but with xp(and 7, which is even better) u got a consistent experience for what ever u do -- be it work or play. that, imo, is the extra mile that linux still didn't make.

Dear....god.

You were given a keyboard with a Shift key and a period key for a reason. Learn it.

Wow. Read through the comments on that thread. The google engineer and the others on that security research list are a bunch of A-1 *******s. I know of no other way to describe the way they communicated on that thread. It's pathetic.

nowimnothing said,
Wow. Read through the comments on that thread. The google engineer and the others on that security research list are a bunch of A-1 *******s. I know of no other way to describe the way they communicated on that thread. It's pathetic.
Jesus, you're right. It's like watching kids in a playground.

Especially considering the sexist, bigoted remarks directed towards Susan Bradley.

Jongwe said,
Linux has more exploits than any windows version.

Even if this were true, who wants to attack Linux when it has like negative market share? [/sarcasm]

Jongwe said,
Linux has more exploits than any windows version.

Exploits and "usable" exploits are too different things. Linux isn't NEARLY as vulnerable as Windows. Vista and especially Win7 went a long way to fix the gap, but Linux is far better when it comes to security.

"Ormandy published proof of concept code, saying "without a working exploit, I would have been ignored.""

Says it all right there - doesn't it?...
Ormandy wanted attention -- and since MS didn't come running to give him a gold star or three, Ormandy decided to get even, hoping for & achieving a moment of fame [or infamy] in the process. I find myself hoping more than ever that there is indeed such a thing as Karma. ;-)

tuxplorer said,
People are really really mean and ruthless to XP users these days. Keep in mind that when Vista was released, XP was 7 years old already if it's 10 years old now. And then Vista bombed. XP is just the "previous OS" before Windows 7 (Vista hardly got any momentum). Too bad Microsoft and Windows 7 fanboys don't treat it that way. IE9 and Windows Live should have been supported on XP for as long as its marketshare is higher than 15-20%.

problem is, XP not just "previous", but highly outdated OS. and Vista is better.

tuxplorer said,
when Vista was released, XP was 7 years old
Just over 5 years, actually. Additionally, support isn't solely decided by marketshare. Eventually things have to be dropped in order to move forward.

tuxplorer said,
People are really really mean and ruthless to XP users these days. Keep in mind that when Vista was released, XP was 7 years old already if it's 10 years old now. And then Vista bombed. XP is just the "previous OS" before Windows 7 (Vista hardly got any momentum). Too bad Microsoft and Windows 7 fanboys don't treat it that way. IE9 and Windows Live should have been supported on XP for as long as its marketshare is higher than 15-20%.

Vista did not bomb, stop drinking the Kool-Aid.

We will beat XP to the ground until it's dead and gone.

Kirkburn said,
Just over 5 years, actually. Additionally, support isn't solely decided by marketshare. Eventually things have to be dropped in order to move forward.

That changes actually by the fanboy's convenience. When bashing XP, it's 10 years old but when Vista was released, somehow it's only 5 years old.

tuxplorer said,
People are really really mean and ruthless to XP users these days. Keep in mind that when Vista was released, XP was 7 years old already if it's 10 years old now. And then Vista bombed. XP is just the "previous OS" before Windows 7 (Vista hardly got any momentum). Too bad Microsoft and Windows 7 fanboys don't treat it that way. IE9 and Windows Live should have been supported on XP for as long as its marketshare is higher than 15-20%.

DirectX 10 and DirectX 11 should have been ported to Windows XP, but they were not ported either.

tuxplorer said,
That changes actually by the fanboy's convenience. When bashing XP, it's 10 years old but when Vista was released, somehow it's only 5 years old.
Eh? I just used the real info, rather than trying to put some annoying spin on it to distort reality.

Service and error reporting were disabled after install on this xp/'nix box. Just checked to make sure. What operating system has a longer support life than XP? Beta and RC tested 7, and with 8 in the pipeline, and my XP extended support going until 2014, you do the math....maybe if I was gaming...

why are people debating who's right and who's wrong?

its 2010 and seems like people just can't live with the fact that ALL softwares comes with bugs. Microsoft might be wrong for not patching it up, but the google engineer is definite having a very bad professional ethics. being a google engineer, he should very much know that there is such thing as SDLC and no organization will promise a definite date to patch bugs up. releasing bug exploit information out to the wild just because Microsoft doesn't follow his demands clearly shows how naive he is and he should be condemned by the industry.

Commenting is disabled on this article.