Hackers exploit Windows XP zero-day, Microsoft confirms

Bug, revealed by Google engineer, now being used in drive-by attacks

Hackers are now exploiting the zero-day Windows vulnerability that a Google engineer took public last week, Microsoft confirmed today.

Although Microsoft did not share details of the attack, other researchers filled in the blanks.

A compromised Web site is serving an exploit of the bug in Windows' Help and Support Center to hijack PCs running Windows XP, said Graham Cluley, a senior technology consultant at antivirus vendor Sophos. Cluley declined to identify the site, saying only that it was dedicated to open-source software.

"It's a classic drive-by attack," said Cluley, referring to an attack that infects a PC when its user simply visits a malicious or compromised site. The tactic was one of two that Microsoft said last week were the likely attack avenues. The other: Convincing users to open malicious e-mail messages.

According to Microsoft, the exploit has since been scrubbed from the hacked Web site, but it expects more to surface. "We do anticipate future exploitation given the public disclosure of full details of the issue," said Jerry Bryant. Microsoft's group manager of response communications.

The vulnerability was disclosed last Thursday by Tavis Ormandy, a security engineer who works for Google . Ormandy, who also posted proof-of-concept attack code, defended his decision to reveal the flaw only five days after reporting it to Microsoft -- a move that Microsoft and other researchers questioned.

Today, Cluley called Ormandy's action "utterly irresponsible," and in a blog post asked, "Tavis Ormandy -- are you pleased with yourself?"

The five-day stretch between the day Ormandy reported the bug to Microsoft and when he publicly disclosed the flaw stuck in Cluley's craw. "Five days isn't enough time to expect Microsoft to develop a fix, which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct," Cluley said.

In a message on Twitter last week, Ormandy said that he released the information because Microsoft would not commit to producing a patch within 60 days. "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days," Ormandy said on Saturday .

Microsoft confirmed that its security team had discussed a patch schedule with Ormandy.

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week," said Bryant. "We were surprised by the public release of details on the 9th."

Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."

The in-the-wild attack code is very similar to the proof-of-concept that Ormandy published last week, said Cluley.

That didn't surprise another security expert. "Given the amount of detail that was released, it's a 'script kiddie' kind of exploit at this point," said Andrew Storms, director of security operations at nCircle Security.

The fact that an exploit based on Ormandy's code was published June 10 for the open-source Metasploit hacking toolkit probably was also a factor, said Storms in an instant message exchange. "No surprise at all there," he said. "There is a large community of people submitting to the Metasploit project."

Microsoft said that the current exploits work against Windows XP machines, but added that Windows Server 2003, the other OS containing the flaw, was safe for the moment. "Windows Server 2003 customers are not currently at risk from the Win Help issue based on the attack samples we have analyzed," the company's security team wrote on Twitter at 1.30 p.m. ET.

The next regularly-scheduled Microsoft security updates are to ship July 13, but the company occasionally departs from its monthly practice with so-called "out-of-band" emergency updates.

Microsoft declined to comment on whether it would now step up its patch process to produce a fix before July 13. "We continue to monitor the threat landscape and will keep customers updated via our blog at and our Twitter handle ," said Bryant in an e-mail to Computerworld.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags exploits and vulnerabilitieswindows xpsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?