Malware, Vulnerability Management

Microsoft warns of soaring Windows Help Center exploits

Attacks taking advantage of a zero-day Windows Help and Support Center vulnerability drastically have gained in prevalence and scope in recent days, malware specialists at Microsoft warned Thursday evening.

Holly Stewart, a senior program manager with the Microsoft Malware Protection Center, said engineers began spotting in-the-wild exploits targeting the flaw on June 15, five days after the software giant confirmed the bug with the release of a security advisory. The vulnerability, which affects Windows XP and Server 2003 machines, was discovered by Google engineer Tavis Ormandy, who published exploit code in a post on the Full Disclosure mailing list.

Ormandy's disclosure prompted a number of other proof-of-concepts, followed by active exploits that initially were "targeted and fairly limited" in nature, Stewart said. However, recently the scope of the attacks dramatically has widened.

"In the past week...attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution," she wrote in a blog post.

Attackers have attempted to infect at least 10,000 computers, malware engineers at Microsoft said. Most victim machines are based in the United States, Russia, Portugal, Germany and Brazil, though the highest percentage of infected PCs is in Portugal and Russia.

Many of the exploits are being hosted on "seemingly automated, randomly generated" websites, Stewart said. In some cases, the exploit has attempted to install a trojan downloader known as Obitel — which tries to download additional malware — while in other scenarios, the exploit directly leads to malware.

The flaw is present in the Windows Help and Support Center application and is caused by the improper sanitization of "hcp:// URIs," which is a protocol handler used to access help documents through specific URLs, Ormandy said. By persuading a user to click on a malicious link, an attacker could execute arbitrary code on a victim's machine.

Customers running Windows Vista, 7, Server 2008 and Server 2008 R2 are not susceptible to the vulnerability. As affected users await a permanent fix, they are encouraged to apply a "Fix It" workaround, as outlined in the security advisory released by Microsoft.

The software giant is next expected to release patches for its vulnerable products on July 13.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.