James Delahunty
15 Jun 2010 22:43
A few days ago, we reported about a controversial disclosure of an exploitable vulnerability that affects Windows XP and Windows Server 2003. Google engineer Tavis Ormandy had alerted Microsoft of the problem and then just five days later published an advisory detailing the bug, even though no patch had been distributed by Microsoft for the problem.
Ormandy was heavily criticized for not waiting until the Redmond software giant had pushed out an update for the bug, which affects the Windows Help and Support Center. His affiliation with Google also fueled some speculation of his motivation for publishing the advisory early. However, Ormandy has consistently defended himself, indicating this is probably the only way to ensure that Microsoft will release a patch.
The flaw was disclosed only last Thursday, but anti-virus provider Sophos has already found that the vulnerability is being targeted by criminal hackers. The bug could potentially allow an attacker to execute code on a victims computer using specially crafted webpages or crafted links in e-mail messages.
While the original bug affects Windows Server 2003, Microsoft's analysis found that only Windows XP is vulnerable to the attacks. Currently, the crafted webpages download an execute malware (Troj/Drop-FS) on a victims computer, according to Sophos.
Microsoft amended its own advisory on the bug, adding that the company is aware that limited, targeted active attacks are happening as a result of the issue.
Windows XP users concerned about the bug can use Microsoft's online FixIt application to disable vulnerable features in the Help and Support Center.