Windows XP Zero-Day Exploit Spawns Attacks

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The disclosure last week of a security hack that enables exploitation of a vulnerability in Windows XP has now led to active attacks "in the wild," or on the wider Internet, according to Microsoft.

Microsoft (NASDAQ: MSFT) originally issued a Security Advisory regarding the disclosure last Thursday. In a follow up statement this week, the company's security mavens made it clear they're somewhat peeved about the disclosure, which included demo code, without any advance warning to Microsoft.

To make things even more galling, the disclosure came from Google (NASDAQ: GOOG), one of Microsoft's bitterest rivals.

"The exploits have since been taken down and we are not currently aware of any exploit URLs attempting to exploit this issue. We do anticipate future exploitation given the public disclosure of full details of the issue," Jerry Bryant, group manager for response communications at Microsoft's Security Response Center (MSRC), said in an e-mail.

"This is an example of why we advocate for responsible disclosure and feel that the actions taken in this case by Google’s researcher have put customers at risk," Bryant added.

Tavis Ormandy, a security researcher for search giant Google, published his proof-of-concept exploit on the Full Disclosure security mailing list. He has been a burr under Microsoft's saddle before.

In January, Ormandy published a hack on Full Disclosure that takes advantage of a security hole that's been in multiple versions of Windows dating back to the early 1990s.

In his post on Full Disclosure, Ormandy was unrepentant.

"I would like to point out that if I had reported the ... issue without a working exploit, I would have been ignored," he said.

This latest disclosure affects the way that Windows XP Service Pack 2 (SP2) and SP3 handle a special communications protocol called HCP used in the Windows Help and Support Center. Using the proof-of-concept code that Ormandy published enables a hacker to easily craft a cross-site scripting attack that can be used to take over a user's PC -- and all the user would need to do is visit a Web page with a malicious link in order to be compromised.

Microsoft said in last week's Security Advisory that it's working on a patch for the flaw. However, the company has not said when it expects to be able to release the patch.

In the meantime, the company has published a Fix It solution that disables support for the HCP protocol automatically. However, disabling HCP handling can have annoying side effects. For example, Microsoft's advisory said, links in the Windows control panel may no longer work.

While Ormandy's Full Disclosure post said that Windows Server 2003 is also at risk, Microsoft's security researchers said that doesn't appear to be true. Besides XP, all other releases of Windows are unaffected by the flaw.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Submit a Comment

Loading Comments...