Microsoft issued a Security Advisory Thursday afternoon to warn Windows XP users of a serious threat to security caused by the disclosure of a previously unknown flaw in the system's Help and Support Center.
The flaw was revealed Wednesday night, along with a working exploit showing how to take advantage of it, by Google (NASDAQ: GOOG) security researcher Tavis Ormandy, who is no stranger to Microsoft's (NASDAQ: MSFT) security team. In January, he revealed a 17-year-old security flaw that he found in virtually all versions of Windows.
Ormandy's latest discovery works by launching XP's Help and Support Center by sending it a special communications protocol (hcp://) instead of a hypertransport call (http://). That can be used to launch a cross-site scripting attack, with the ultimate result of taking over the user's system just by visiting a page that's booby-trapped with a malicious link.
"The HCP protocol can be used to execute URL links to open the Help and Support Center feature," the advisory said. The problem comes from the fact that the Help and Support Center does not correctly validate URLs if they're sent using the protocol.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The vulnerability is also present in Windows Server 2003, according to Microsoft's Security Advisory. However, initial tests showed that the exploit that Ormandy posted to the Full Disclosure security mailing list did not cause a successful compromise of Windows Server 2003, according to a post on Microsoft's Security Research & Response blog.
Microsoft security engineers said they are still examining the problem, the blog post said. No other Windows versions are at risk, including Windows 7, Microsoft said.
Microsoft's security team is working on a patch, but has not yet said when it might be released. Microsoft's advisory states that no attacks in the wild exploiting the flaw have surfaced yet.
In its advisory, Microsoft published a workaround that modifies the Windows registry in order to disable the HCP protocol. Unfortunately, unregistering the protocol can also cause legitimate help links that use the HCP protocol, such as links in the Windows Control Panel, to fail.
What makes the discovery and its disclosure prior to the creation of a patch so serious is that XP is still, by far, the most popular version of Windows ever.
According to tracking firm Net Applications, XP still makes up nearly 63 percent of all desktop operating systems in use today. By way of comparison, the second largest installed base is Windows Vista with 15 percent, followed by Windows 7, which has garnered nearly 13 percent, Net Applications' numbers say.