Microsoft Reports Over 10,000 Zero-Day Attacks

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It's been three weeks since Microsoft announced it was working on a patch for a nasty zero-day security hole in Windows XP's Help and Support Center that was released on a security website by a Google security researcher.

Now, according to a post at Microsoft's (NASDAQ: MSFT) Malware Protection Center blog on June 30, the exploit that Google (NASDAQ: GOOG) researcher Tavis Ormandy unleashed in the wild has resulted in more than 10,000 attacks in the real world.

"At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15, the first real public exploits emerged. Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up and are no longer limited to specific geographies or targets," Microsoft spokesperson Holly Stewart, said in the blog post.

Following Ormandy's disclosure of the XP bug's inner workings in mid-June, Microsoft released a Security Advisory warning security professionals and system administrators about the exploit code's existence and published a simple -- if a little clumsy -- workaround.

Ormandy said in a post to the Full Disclosure security mailing list that he informed Microsoft about the vulnerability on June 5, and that they "confirmed receipt of my report on the same day."

He also said there was no malicious intent in going public. "I've concluded that there's a significant possibility that attackers have studied this component and releasing this information rapidly is in the best interest of security," said Ormandy.

But in the short term that doesn't appear to be the case and at least one other security firm blasted Ormandy's decision.

Microsoft said in a post to its Security Research and Defense blog on June 10, that it is currently working on an "update" to fix the problem.

That patch is not available yet, however, and the workaround requires users disable part of the Help and Support Center feature. Removing support for it from the Windows Registry is accomplished by unregistering a special communications protocol that works with the help facility.

Doing that, however, can also cause legitimate help links, such as ones in the Windows Control Panel, to not function.

In the meantime, active attacks continue.

"Starting last week, we started seeing seemingly-automated, randomly-generated html and php pages hosting this exploit. This attack methodology constitutes the bulk of attacks that have continued to flourish into this week," Stewart's post said.

But Microsoft has been active in working to eliminate the threat.

"In addition to the mitigations listed in the advisory, customers using Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform have had coverage for this exploit since June 10," her blog post continued.

As far as where the most attacks have been occurring so far, the largest numbers of affected PCs have been in the U.S., Russia, Portugal, Germany, and Brazil.

However, users of XP Service Pack 2 (SP2), by far the most prevalent release of XP, had better start moving to Service Pack 3 (SP3) post haste. Microsoft is ending support for XP SP2 as of July 13, which is less than two weeks away.

"To ensure that you will receive all important security updates for Windows after that date you need to upgrade to Windows XP with SP3 or later versions, such as Windows 7. However, we continue to provide support as part of the extended support until April 2014 for customers who have SP3 installed," Jerry Bryant, group manager for response communications in Microsoft's Security Response Center, said in a statement e-mailed to InternetNews.com.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.