New Windows XP flaw leaves PCs exposed to remote attack

gallery

A new zero-day flaw has been found in Windows XP that could allow cyber criminals to take control of users' PCs.

The bug takes advantage of a security gap in XP's Help and Support Centre, which leaves the remote assistance tool vulnerable to being taken over by attackers, who would then be able to execute tasks on infected PCs.

By embedding commands in web addresses, hackers could activate the remote assistance tool and issue commands to the PC in question over the internet. The flaw was discovered by British security researcher Tavis Ormandy, who reported it to Microsoft earlier this week.

“At least Microsoft Windows XP, and Windows Server 2003 are affected. The attack is enhanced against IE >= 8 and other major browsers if Windows Media Player is available, but an installation is still vulnerable without it," Ormandy wrote on the Full Disclosure mailing list.

"Machines running versions of IE less than 8 are, as usual, in even more trouble. In general, choice of browser, mail client or whatever is not relevant, they are all equally vulnerable.”

Microsoft has confirmed it is investigating the matter, but criticised Ormandy for waiting just four days before making the full details of the flaw public, complete with a worker exploit and suggested workaround.

“Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” said Mike Reavey, director of Microsoft's Security Research Centre.

He emphasised that Microsoft wasn't aware of any working exploits, and confirmed that users of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 had nothing to worry about.

However, Ormandy countered that the risk was sufficient to make holding on to the information irresponsible. “Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user,” Ormandy wrote. “I've concluded that there's a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security.”

The vulnerability comes to light just days after a bumper set of Microsoft's customary Patch Tuesday fixes was sent out, though there is no word yet as to whether it will force the firm to send out an out-of-cycle update.

Microsoft has promised to issue a security advisory on the matter as soon as possible.

In the meantime, Ormandy suggests deleting the HCP key entry within the HKEY_CLASSES_ROOT section of the Registry as a temporary workaround. However, Microsoft warns that doing so will break not only any links hackers may be using to manipulate systems, but also any legitimate help links using the hcp://protocol.

Email to a friend

Print this page