Just five days after Google researcher Tavis Ormandy released details of a critical vulnerability affecting Windows XP and Windows Server 2003, malware authors have struck, exploiting the flaw to plant malware on Windows machines.

The attacks, described by Microsoft as “limited,” are being distributed on rigged Web sites (drive-by downloads).
“Windows Server 2003 customers are not currently at risk from the Win Help issue based on the attack samples we have analyzed,” according to Microsoft’s security response center.

The attacks, which are only targeting Windows XP computers with the HCP protocol enabled, follows the controversial public disclosure of the flaw by Ormandy, a high-profile Google researcher.

The issue, which exists in the Microsoft Windows Help and Support Center, is caused by improper sanitization of hcp:// URIs. It allows a remote, unauthenticated attacker to execute arbitrary commands.

Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.

In an e-mail message announcing the zero-day discovery, Ormandy said protocol handlers are a popular source of vulnerabilities and argued that “hcp://” itself has been the target of attacks multiple times in the past. This prompted his decision to go public without the availability of a patch:

Ormandy said he spent the five days “negotiating” for Microsoft to get a fix ready in 60 days but when that failed, he decided to go public because he was convinced that malicious hackers may be looking into these kinds of security holes.


In the absence of a patch, Microsoft is recommending that affected Windows customers use this one-click Fix-It tool to unregister the problematic “hcp://” protocol.

Vulnerability in Help Center could allow remote code execution

This can also be manually done by following these simple directions:

1.Click Start, and then click Run.
2.Type regedit, and then click OK.
3.Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
4.Right-click the HCP key, and then click Delete.
Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.

More Information about the public release from Googler on the Zero Day Attack.
Googler releases Windows zero-day exploit, Microsoft unimpressed | ZDNet

Use Microsoft Fix It to automatically fix every day issues
Microsoft Fix it Solution Center