Last month, a Google engineer disclosed a security flaw in Windows XP’S Help and Support Center software that can potentially enables attackers to download malicious software and effectively take over a computer, searching it for sensitive information, turning it into a spam zombie, or simply have it continually pull down more malware from the Internet. The bug was disclosed to the public on June 10, and Microsoft says at first the only incidents involving the bug were apparently innocuous probes by security researchers. However, beginning June 15 the “first real public exploit emerged,” and now Microsoft says over 10,000 WIndows XP systems have been subjected to the attack.
Microsoft’s next software update for WIndows XP is scheduled for July 13. In the meantime, the company is urging Windows XP users to protect their PCs. One workaround is to disable the HCP protocol, although this will break any
hcp:// links users might rely on to get to specific resources in the Help and Support Center.
Windows Server 2003 also ships with the Help Center software but is apparently immune to the attack.
Google engineer Tavis Ormandy revealed the problem to Microsoft back on June 5; however, five days later he took information about the bug public, apparently dissatisfied with Microsoft’s response to the problem.
Microsoft says systems in Russia, Portugal, the United States, Germany, and Brazil have been the largest targets of this particular exploit, so far.