June 15, 2010

A security vulnerability in Microsoft Windows XP systems that was first disclosed a week ago is now being actively exploited by malicious Web sites to foist malware on vulnerable PCs, according to reports.

Last week, Google researcher Tavis Ormandy disclosed the details of a flaw in the Microsoft Help & Support Center on Windows XP and Server 2003 systems that he showed could be used to remotely compromise affected systems. Today, experts at security firm Sophos reported that they’re seeing the first malicious and/or hacked sites beginning to exploit the bug.

If you use Windows XP and have not yet taken Microsoft up on its suggestion to disable the vulnerable Help & Support Center component, please consider taking a moment to do that today. Until Microsoft issues an official fix for this flaw, the workaround they suggest is an easy and apparently painless one. The instructions are available at this link.

Update, June 17, 9:20 a.m. PST: Updated post to include link to Microsoft “FixIt” tool.

31 thoughts on “Unpatched Windows XP Flaw Being Exploited

  1. Moike

    Thanks to Ormandy’s misinterpretation of Bruce Schneier’s writings, Aunt Gertrude, whose only defense is to allow Windows Update to run, is 100% vulnerable to the criminals of the Internet. Prior to Ormandy’s irresponsible disclosure, there’s only a chance that she *might* have been vulnerable.

    There’s a good argument for a reasonable period between vulnerability discovery and publication.

    1. xAdmin

      I initially had this thought, but after reading Ormandy’s write up (see link below), I’m beginning to agree with getting this stuff out in the open ASAP! IMHO, Ormandy’s core thought process is to protect the end user! Security by obscurity just doesn’t work in today’s threat landscape!


      On a side note: considering Microsoft’s horrible redesign and lack of reverting to “Classic” mode, not to mention IMO, dumbing down of the GUI in Windows 7, I’m going to be giving open source OS’s serious consideration in the near future!

      1. Moike

        >Ormandy’s core thought process is to protect the end user!

        And today, Aunt Gertrude is measurably safer than she was on June 1….how? That’s not much protection for end users.

        1. Normandy

          We now know what we can do to make sure this flaw isn’t exploited across our domains via group policy or on our personal PC via the FixIt link.

          1. Moike

            Only a tiny percentage of ‘normal users’ know what to do; everyone else is vulnerable, thanks to Ormandy.

      1. Moike

        Even there he fails to make the case that he is protecting Grandma by releasing in 5 days instead of 60 days. We’d all be beating up on Microsoft instead of Ormandy if they knew of a problem and failed to patch it in 60 days and it was being exploited.

  2. xAdmin

    Thanks Brian, the more sunlight we can shine on these issues the better!

    As John pointed out in a previous post,

    Microsoft has a FixIt solution (see link below) that will make the necessary registry changes (handy for non techie users) and neuter this vulnerability. 🙂


    While a defense in depth strategy will highly minimize the threat, let’s hope Microsoft gets an out of band patch out for this very soon!

    1. Doug

      First, note the manual workaround is to save, then delete the HKEY_CLASSES_ROOT\HCP key

      MS says they have a fix-it that does the workaround for you. So I applied the MS Fix-it #50459 (on my WinXP Pro machine) then checked the registry, the HKEY_CLASSES_ROOT\HCP key is still present. Unfortunately, I did not view the key before first running the fix so I don’t know whether the key contents have changed. I used the MS Fix-it #50460 to undo the changes, the key (and contents) did not change. I re-applied #50459, the key is still unchanged.

      Has anyone else noticed this?

      What is the MS Fix-it doing? (it’s not deleting the key!)

      1. Doug

        Addendum – my Help Center & control panel seem to work as normal.

      2. xAdmin

        The FixIt solution SHOULD be removing the registry key. Are you logged in as administrator when running the FixIt? As that is required in order to have the appropriate permissions to that part of the registry. After the fix, any HCP link should no longer work, although the Help and Support functionality still seems to function. Another mitigating step to take would be to stop and disable the “Help and Support” service via Computer Management. This will actually disable that functionality. 🙂

          1. Doug

            OK, my mystery is solved – the fix it deletes the sub-keys (shell – open -command sub keys) of the HCP key but does not delete the HCP key. Without the command sub-key the hcp links will not function.

            Admin, thanks for the feedback.

  3. JBV

    FixIt took about 10 seconds to install.

    Does this completely disable Help & Support? (Sorry, I’m not that technically savvy.)

  4. jerry

    Won’t disabling the help and support service mitigate this vulnerability?

    1. xAdmin

      It provides a defensive layer by disabling the functionality. But, I would still implement the registry fix as another defensive measure. Overall though, even after Microsoft issues a fix, I’ll still keep the “Help and Support” service disabled as a defensive layer since I absolutely do not need that service. 🙂

  5. David Chasey

    Instructions say may not be able to access Control Panel after Workaround applied. But I need access to Control Panel.

    1. JBV

      Try using the FixIt link above. It did not do anything to affect control panel on my computer.

  6. David Chasey

    P.S. A workaround that looks easy for some looks anything but easy to others, e.g. me.

  7. mr bubble

    “Prior to Ormandy’s irresponsible disclosure, there’s only a chance that she *might* have been vulnerable.”

    Indeed, if epidemiologists hadn’t published research on the Mayaro virus in 2000-2001, there wouldn’t have been a Mayaro virus outbreak this year in Venezuela.

    There’s a chance Venezuelans *might* have been vulnerable before those phds recklessly published, now they are definitely vulnerable.

    1. Moike

      You misunderstand – I’m not arguing against disclosure – just reckless disclosure without a reasonable period of time. If Ormandy would have waited 60 days, we’d all be beating up on Microsoft for failure to patch instead of Ormandy for irresponsible disclosure.

  8. muffin

    can someone help me? I clicked on the link in brian’s column above about the vulnerability in the MS help center. that link says it sent this advisory to IT professionals. i am not an IT professional. do you think it will be ok for me to do the automatic fix. i’m a bit apprehensive that it’s going to ask me questions that i don’t understand.

    1. JBV

      muffin: Go to the link in Brian’s post, and click on the little man that says enable Fixit. They don’t ask you any questions. It takes about 10 seconds to download. You don’t have to do anything else. If it makes your computer do anything strange, go back to the same page and click on the other little man to remove the fix.

  9. xAdmin

    Nothing to be afraid of. The link (http://support.microsoft.com/kb/2219475) you’re referring to is meant for non-technical users.

    The “IT Professionals” wording in the “Introduction” section is only referring to the security advisory (with a link to visit that page) which contains more technical information about the issue.

    So, go ahead and follow the directions under the “Fix it for me” section. 🙂

  10. muffin

    JBV and Xadmin: thanks for much for replying and the encouragement. i’ll do it!

  11. Bart

    I installed the fix on 17 June and this morning, 19 June, my XP system would not boot. This was puzzling, as I turn off my PC each evening, and so would have expected to have this problem happen upon boot-up yesterday, the 18th.

    Anyway, via Safe Mode, I dropped back to the Restore point named “Installed MS Fixit 50459” from the 17th, and now seem OK.

    The only thing of note that happened on 18 June was that SuperAntiSpyware found several tracking cookies. Seeing that, I went to the quarantine file and deleted a couple of older, more serious looking entries. Supposedly, this should not have affected me.

    Since I am now reluctant to re-run the MS Fixit, is there a way to disable the Help and Support Center via regular parms?

    1. jerry

      From an admin account, Start>Run>Services.msc>ok
      Then find the help and support center>right click>properties and then disable from the startup type drop down menu. Then, click the stop button below startup type

  12. Bart

    Thanks very much, Jerry.

    That command was new for me and I saw that of all the dozens of services, I have only 8 disabled. I wonder if some others can be disabled maybe to cause a quicker boot-up?

Comments are closed.