XP Help Flaw Attacks Explode, Still No Permanent Fix

Microsoft says more than 10,000 computers have been attacked through a bug in the Windows XP help system. Strangely, it has resisted criticizing the security researcher who publicized the security flaw.

The bug involves the way XP directs web browsers towards help pages, having first checked the page against a "whitelist" to make sure it is legitimate. It's possible for hackers to exploit the flaw by fooling the computer during this checking process. The result is that the browser can be relocated to a page containing malicious software.

Microsoft hasn't yet found a permanent solution to the problem, but does advise users to apply a temporary fix which blocks all links to the Windows XP help facility.

According to Microsoft's figures, there has been evidence of attacks since 15 June, a few days after the issue became public. However, the pace of the attacks picked up significantly since last week. (Source: bbc.co.uk)

Attacks Go from Targeted to Widespread

The attacks appear to have switched from being specifically targeted to widespread, suggesting the methods for successfully exploiting the bug may have spread among the hacker community.

Initially, most attacks using the bug involved downloading a rogue application onto vulnerable computers. Now, there's a much wider variety of material being installed onto the victims' machines, including several Trojan horses.

The attack rate is 10 times higher in Portugal than the global average and is also notably sky-high in Russia. There doesn't yet seem any specific reason why this is the case, and is certainly no guarantee that this is where hackers are operating from. (Source: technet.com)

Microsoft Does not Dispute Security Expert

Surprisingly, Microsoft's latest update on the issue makes no mention of the dispute about how the bug came to public attention. Tavis Ormandy, a security expert who happens to work for Google, discovered the bug and posted details online five days after informing Microsoft.

At the time, Microsoft and some independent security commentators criticized this move as irresponsible, because it meant the flaw was known by hackers before a release was available.

However, Ormandy has since revealed that he only made the details public after telling Microsoft he'd be willing to keep them under wraps for 60 days as long as Microsoft found a fix. Microsoft failed to commit to that timeline.