It always seems that reported bugs in any Microsoft product spur a rash of attacks almost immediately after their report.

The latest is the problem with the online help system, which is still not patched, and the only reasonable solutions at this point are to not use the help system or to disable it completely. Microsoft is quick to point out the fact that Windows Vista and Windows 7 do not experience the problem as the help system has changed.

It does beg the question about the source of these attacks. Could they have anything to do with the convergence of the end of XP SP2 support, the push by Microsoft to move all to Windows 7, and the need of Microsoft to have something to deflect the not-so-meteoric rise and fall of the Kin phones on the Verizon network.

The story comes from gHacks, but was originally reported by the BBC –

An unpatched bug in the Windows XP Help and Support system is being increasingly attacked by  virus and malware writers, as reported by the BBC.

Microsoft has reported it’s seen more than 10,000 PCs hit by the attack so far and it’s still not been able to find a fix for the problem.

The effect of the vulnerability can give hackers complete control over a PC.  It initially came about when a Google Engineer discovered it was possible to exploit Windows XP’s ability to send and receive remote help from another computer.

Initially, Microsoft said it only saw “innocuous” attacks by a few researchers but now hi-tech criminals are exploiting it as well.

Writing on the Microsoft Security Centre blog, Holly Stewart said it had started seeing “seemingly-automated, randomly-generated” web pages that host the exploit.

A senior security researcher at Trend Micro, Rik Ferguson, said  ”It’s certainly very serious and is now being actively exploited by what appears to be several different groups as you can see form the multiple payloads being delivered.” and Carole Thierault, senior security consultant as security firm Sophos has described the attacks as a “nightmare”.

Microsoft is still working on a fix for the problem but Engadget have reported that…

Microsoft says the only current work around to the issue is to Unregister the HCP Protocol which disables hcp:// style links

The vulnerability does not affect Windows Vista or Windows 7.

Windows XP and Windows Server 2003 users can read the following guide to find out how to protect their system from the attack: Windows XP And Windows Server 2003 Zero-Day Vulnerability.

This would seem to target only the inexperienced on computers, as the information provided by the online help is minimal at best. Also, those having used Windows XP for any time would probably know that the better way of getting an answer to an XP problem is using Google. Google produces much better results when trying to find any answer that resides on the Microsoft website, as it appears to know the site much better than Microsoft (I have mentioned this many times, and the example I usually use is the availability of themes for Windows XP. There are several available, but try to find them using the search function of the Microsoft Windows site – I dare you! Google will find all of them until such time as Microsoft removes them completely [they are slowly doing just that]).

[Update] Since I wrote this, an article in Maximum PC tells a few more details about the situation –

It didn’t take long for digital ne’er do gooders to actively exploit a new Windows XP flaw discovered by a Google engineer last month. In a blog post on Wednesday, Microsoft said it noted some 10,000 “distinct computers” have fallen prey to the attack.

“At first, we only saw legitmate researchers testing innocuous proof-of-concepts. Then, early on June 15th, the first real public exploits emerged,” Microsoft said. “Those intial exploits were targeted and fairly limited. In the past week, however, attacks have picked up.”

Microsoft also said the attacks are no longer limited to specific geographies, noting outbreaks in Portugal, Russia, Croatia, Germany, Spain, Greece, Turkey, Saudi Arabia, Brazil, and several others, including the United States.

The exploit involves a vulnerability in the Windows Help and Support Center software that comes with Windows XP. In short, the attack is being used to download various malware, as well as a piece of software called Obitel that…downloads more malware. Go figure.

The title of the Max PC story includes the fact that over 10,000 PCs have been attacked thus far, and that the attacks have been widely known for at least two weeks – it does seems that some greater warning should have been sounded before now. The initial explanation made the problem seem to be a long shot at best.

With this in mind, I would recommend no usage of the Help in XP or the specific restrictions recommended by Microsoft, if your PC gets used by others.

I also can’t help thinking that this attack is fortuitously timed with the end of support for SP2, and Microsoft’s extreme push for Windows 7 adoption. Perhaps over the Independence Day holiday a good plan would be update of any computers running XP to SP3 and the application of the restrictions concurrently.

It may not make for your most leisurely 4th of July holiday, but you will be glad you are protected.


floating_rock When bad things happen, you have to look at the big picture…