madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Windows XP zero-day under attack; Use Microsoft's "fix-it" workaround

By | June 15, 2010, 11:49am PDT

Summary: ust five days after Google researcher Tavis Ormandy released details of a critical vulnerability affecting Windows XP and Windows Server 2003, malware authors are exploiting the flaw to plant malware on Windows machines.

Just five days after Google researcher Tavis Ormandy released details of a critical vulnerability affecting Windows XP and Windows Server 2003, malware authors have struck, exploiting the flaw to plant malware on Windows machines.

The attacks, described by Microsoft as “limited,” are being distributed on rigged Web sites (drive-by downloads).

“Windows Server 2003 customers are not currently at risk from the Win Help issue based on the attack samples we have analyzed,” according to Microsoft’s security response center.

follow Ryan Naraine on twitter

The attacks, which are only targeting Windows XP computers with the HCP protocol enabled, follows the controversial public disclosure of the flaw by Ormandy, a high-profile Google researcher.

Googler releases Windows zero-day exploit, Microsoft unimpressed ]

The issue, which exists in the Microsoft Windows Help and Support Center,  is caused by improper sanitization of hcp:// URIs.   It allows a remote, unauthenticated attacker to execute arbitrary commands.

Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.

In an e-mail message announcing the zero-day discovery, Ormandy said protocol handlers are a popular source of vulnerabilities and argued that “hcp://” itself has been the target of attacks multiple times in the past. This prompted his decision to go public without the availability of a patch:

Ormandy said he spent the five days “negotiating” for Microsoft to get a fix ready in 60 days but when that failed, he decided to go public because he was convinced that malicious hackers may be looking into these kinds of security holes.

ONE-CLICK FIX-IT

In the absence of a patch, Microsoft is recommending that affected Windows customers use this one-click Fix-It tool to unregister the problematic “hcp://” protocol.

This can also be manually done by following these simple directions:

  1. Click Start, and then click Run.
  2. Type regedit, and then click OK.
  3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
  4. Right-click the HCP key, and then click Delete.

Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://.  For example, links in Control Panel may no longer work.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Microsoft Corp., Ryan Naraine, Attack, Microsoft Windows, Microsoft Windows XP, Security, Operating Systems, Software

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 116 Talkback(s)

  • RE: Windows XP zero-day under attack; Use Microsoft's
    THe more I read about this the more it bugs me that this Google Security expert took it upon himself to release this to the wild. Who does he think he is to judge Microsoft? Good on him for finding this and taking time to look for Microsoft flaws, but whose to say 5 days is too long? Now we get to deal with more virus outbreaks. Great for technicians who get paid by the hour, bad for users...
    ZDNet Gravatar
    James A Bailey
    15th Jun 2010
  • RE: Windows XP zero-day under attack; Use Microsoft's
    @James A Bailey
    The words are who is or who's not whose. look it up.
    ZDNet Gravatar
    dhays
    15th Jun 2010
  • RE: Windows XP zero-day under attack; Use Microsoft's
    @dhays

    Seriously? Do you go around checking all the talkbacks for grammar?
    ZDNet Gravatar
    Badgered
    15th Jun 2010
  • RE: Windows XP zero-day under attack; Use Microsoft's
    grammar marms also have tendencies 2 rock back and forth along with lip drooling.... they are expecting a smiley face sticker not to be mocked. dont be mean son....
    ZDNet Gravatar
    bspurloc
    15th Jun 2010
  • RE: Windows XP zero-day under attack; Use Microsoft's
    @Badgered
    Seriously? Do you go around checking all the talkbacks for grammar?

    His days would never end. And that would include many of the published articles to boot.
    ZDNet Gravatar
    klumper
    15th Jun 2010
  • RE: Windows XP zero-day under attack; Use Microsoft's
    @dhays Thanks for the information. This is a wonderful post!!
    Buy Essay
    Buy coursework
    Buy Assignment
    ZDNet Gravatar
    bynes69
    17th Sep
    • Flagged
  • RE: Windows XP zero-day under attack; Use Microsoft's
    @dhays Very good information .... Thanks guy...
    Buy Dissertation
    Buy Thesis
    ZDNet Gravatar
    bynes69
    17th Sep
    • Flagged
  • RE: Windows XP zero-day under attack; Use Microsoft's
    @dhays

    Yeah look it up you dumb guy!

    diablo 3 characters
    ZDNet Gravatar
    zipzip39
    26th Sep
  • 5 days? HCP vulnerabilities are very old...
    @James A Bailey

    reports on them date from 2004 and earlier but MS failed to address them.

    Their solution: buy win 7.
    ZDNet Gravatar
    OS Reload
    15th Jun 2010
  • Lookingforward
    @OS Reload
    Looking forward to your link to when this vuln was originlly reported.

    No?

    Because you are not suggesting that just because there have been other vulns in the hcp protocol they should have found this one?
    ZDNet Gravatar
    honeymonster
    15th Jun 2010
  • Which is a darn good solution; one that works.
    @OS Reload
    That's all; nothing more to say.
    ZDNet Gravatar
    windozefreak
    16th Jun 2010
  • RE: Windows XP zero-day under attack; Use Microsoft's
    @OS Reload

    right on! its time to upgrade!

    diablo 3 forums
    ZDNet Gravatar
    zipzip39
    25th Sep
  • RE: Windows XP zero-day under attack; Use Microsoft's
    wah wah wah wah......
    Do u know who is to blame for this exploit? MICROSOFT. grats though... wah wah wah wah
    ZDNet Gravatar
    bspurloc
    15th Jun 2010
  • If MS had agreed to fix it within 60 days, it wouldn't be in the wild now.
    @James A Bailey

    The Google researcher released the POC code because MS wouldn't commit to releasing a fix within two months.

    Check out this Computerworld link for more information.
    ZDNet Gravatar
    Letophoro
    16th Jun 2010
  • Crappy reasoning.
    @Letophoro
    If your a dyed in the wool hacker then perhaps you might be seen as giving MS a break by telling them fix it in 60 days or I will release the code.

    Ormandy was supposedly acting as a responsible researcher. While not quite as deadly, obviously, it would be like a medical researcher telling the government to get a particular vaccine made available in 60 days or they would release a deadly strain of flu virus into the population. Under any circumstance, any at all, how is that kind of behavior tolerable?

    Its moronic and mean spirited and should be criminal. There is no remedial purpose to pulling such a stunt. None whatsoever other then to prove you really hate Microsoft, and apparently have no use or respect for the hundreds of millions around the world who use Windows.

    Spectacular move Ormandy. If I was a legitimate employer this idiot with the loose cannon mentality would be the last Joe I would ever hire. How long would his brainless loose cannon ways carry on before he decides its his right to do something crazy again that would put my company on the hook for his shortsighted foolishness.
    ZDNet Gravatar
    Cayble
    15th Jul 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here