Researchers have found evidence that attackers are exploiting the vulnerability in the Windows Help and Support Center that was at the center of so much controversy last week.
The flaw, which is in the protocol handler related to the Microsoft Windows Help and Support Center, was disclosed late last week by Tavis Ormandy, a security researcher who works for Google. The disclosure, which came just five days after Ormandy notified Microsoft of the vulnerability, caused a huge dustup in the security community and elicited a rather testy response from the Microsoft Security Response Center.
Now, researchers say that they have seen evidence that attackers are using the vulnerability in active attacks. Sophos researchers identified a piece of malware that’s being used by a compromised site to attack visitors.
Today, we got the first pro-active detection (Sus/HcpExpl-A)
on malware that is spreading via a compromised website.
This malware downloads and executes an additional malicious
component (which will shortly be detected as Troj/Drop-FS)
on the victim’s computer, by exploiting this vulnerability.
At the time of his disclosure, Ormandy said he was posting details of the vulnerability because he felt there was a strong likelihood that attackers knew about it already.
“I’ve concluded that there’s a significant possibility that attackers have studied this component,
and releasing this information rapidly is in the best interest of security,” he said in his advisory.
Microsoft’s Security Response Center said that it is aware of the attacks and recommends that affected Windows XP users deploy the FixIt patch in the security advisory.