Unpatched Windows XP-related hole exploited in attacks
Microsoft says exploit code has been removed from the Web but more attacks are likely. Google researcher publicly disclosed the vulnerability last week.
Malicious hackers were found to be exploiting a hole on Tuesday affecting Windows XP that a Google researcher disclosed last week before Microsoft had a chance to fix it, the software giant confirmed.
There was "limited exploitation" of the unpatched vulnerability, Jerry Bryant, group manager for response communications at Microsoft, said in an e-mail statement. The exploits have been taken down from the Web, but Bryant said he expects there to be further attacks "given the public disclosure of full details of the issue."
"We want to reiterate that customers using Windows 2000, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are not affected. Additionally, Windows Server 2003 customers are not at risk based on the attack samples we have analyzed," he said. "We encourage Windows XP customers to install the workaround provided in the advisory via a Microsoft FixIt. We continue to monitor the threat landscape and will keep customers updated via our blog at http://blogs.technet.com/b/msrc and our Twitter handle, www.twitter.com/msftsecresponse."
The vulnerability, which is in the online Windows Help and Support Center, could enable an attacker to take control of a computer running Windows XP by luring a computer user to a malicious Web site hosting code that exploits the hole, regardless of what browser is being used.
Earlier on Tuesday, Sophos reported seeing exploits in the wild on its blog. Sophos' software detects the exploit as Troj/Drop-FS and offers a free threat detection scan and information for how to remove the Trojan.
Microsoft is scrambling to develop a patch for the hole after Google researcher Tavis Ormandy disclosed it publicly last Thursday, providing details and proof-of-concept code. He had notified Microsoft about the problem five days earlier. Microsoft released an advisory on the vulnerability later on Thursday.
Ormandy's action was irresponsible because it did not give Microsoft enough time to fix the problem. Ormandy has not responded to that criticism but has defended releasing an exploit at the same time he reported the issue by saying Microsoft would have ignored him otherwise.