BEWARE As Windows XP zero-day under attack; Use Microsoft's "fix-it" workaround

Feb 21, 2010
Reaction score
Hello Everyone,
Today my first email was about some malware exploiters have used & are really going for it against the windows users,Just five days after Google researcher Tavis Ormandy released details of a critical vulnerability affecting Windows XP and Windows Server 2003, malware authors have struck, exploiting the flaw to plant malware on Windows machines.

The attacks, described by Microsoft as “limited,” are being distributed on rigged Web sites (drive-by downloads).
“Windows Server 2003 customers are not currently at risk from the Win Help issue based on the attack samples we have analyzed,” according to Microsoft’s security response center.

The attacks, which are only targeting Windows XP computers with the HCP protocol enabled, follows the controversial public disclosure of the flaw by Ormandy, a high-profile Google researcher.
[ Googler releases Windows zero-day exploit, Microsoft unimpressed ]

The issue, which exists in the Microsoft Windows Help and Support Center, is caused by improper sanitization of hcp:// URIs. It allows a remote, unauthenticated attacker to execute arbitrary commands.
Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.
In an e-mail message announcing the zero-day discovery, Ormandy said protocol handlers are a popular source of vulnerabilities and argued that “hcp://” itself has been the target of attacks multiple times in the past. This prompted his decision to go public without the availability of a patch:
Ormandy said he spent the five days “negotiating” for Microsoft to get a fix ready in 60 days but when that failed, he decided to go public because he was convinced that malicious hackers may be looking into these kinds of security holes.
In the absence of a patch, Microsoft is recommending that affected Windows customers use this one-click Fix-It tool to unregister the problematic “hcp://” protocol.

This can also be manually done by following these simple directions:
  1. Click Start, and then click Run.
  2. Type regedit, and then click OK.
  3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
  4. Right-click the HCP key, and then click Delete.
Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.
I advise any members with PC's running XP read the entire post the link is available have a great day everyone.

jeffreyobrien (JOB)

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question