Hackers exploit Windows XP zero-day, Microsoft confirms
Bug, revealed by Google engineer, now being used in drive-by attacks
Computerworld - Hackers are now exploiting the zero-day Windows vulnerability that a Google engineer took public last week, Microsoft confirmed today.
Although Microsoft did not share details of the attack, other researchers filled in the blanks.
A compromised Web site is serving an exploit of the bug in Windows' Help and Support Center to hijack PCs running Windows XP, said Graham Cluley, a senior technology consultant at antivirus vendor Sophos. Cluley declined to identify the site, saying only that it was dedicated to open-source software.
"It's a classic drive-by attack," said Cluley, referring to an attack that infects a PC when its user simply visits a malicious or compromised site. The tactic was one of two that Microsoft said last week were the likely attack avenues. The other: Convincing users to open malicious e-mail messages.
According to Microsoft, the exploit has since been scrubbed from the hacked Web site, but it expects more to surface. "We do anticipate future exploitation given the public disclosure of full details of the issue," said Jerry Bryant. Microsoft's group manager of response communications.
The vulnerability was disclosed last Thursday by Tavis Ormandy, a security engineer who works for Google. Ormandy, who also posted proof-of-concept attack code, defended his decision to reveal the flaw only five days after reporting it to Microsoft -- a move that Microsoft and other researchers questioned.
Today, Cluley called Ormandy's action "utterly irresponsible," and in a blog post asked, "Tavis Ormandy -- are you pleased with yourself?"
The five-day stretch between the day Ormandy reported the bug to Microsoft and when he publicly disclosed the flaw stuck in Cluley's craw. "Five days isn't enough time to expect Microsoft to develop a fix, which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct," Cluley said.
In a message on Twitter last week, Ormandy said that he released the information because Microsoft would not commit to producing a patch within 60 days. "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days," Ormandy said on Saturday.
Microsoft confirmed that its security team had discussed a patch schedule with Ormandy.
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week," said Bryant. "We were surprised by the public release of details on the 9th."
Microsoft issued a security advisory on the vulnerability last Thursday that acknowledged the bug and offered up a manual workaround it said would protect users against attack. The next day, it posted a "Fix it" tool that automatically unregisters the HCP protocol handler, a move Microsoft said "would help block known attack vectors before a security update is available."
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts