Security researcher working for Google found a hole in Help and Support Center for Windows in the beginning of June. He then explored it, found which versions of Windows OS were affected and had some clues about ways to fix it. After few days he contacted Microsoft’s software security employees, for what he thought would be fast “fix” creation and distribution.
Things didn’t go as smoothly as expected, be it because the discovery was made by Google employee, or because the patch needed was hard to program. Some negotiations took place, a week passed, but no agreement upon “0-day” fix creation was reached. Then the researcher – Tavis Ormandy, decided to make the details publicly available to the IT community. The bad thing about this is that hackers closely follow security vulnerabilities publications, and usually react much faster then big companies, who create fixes for these vulnerabilities. This had the expected result – exploits were published that used the vulnerability, and worms began crawling around Windows XP systems, doing damage on their way.
Microsoft representatives said that “Microsoft was surprised by the decision of Mr. Ormandy” to release such serious vulnerability to the public. They just forgot to mention that enough time was given to them to make decision about the problem before the publications.
After 33 days of exploitation by different malware software the hole can now be sealed – if you use Windows XP or Windows Server 2003 operation system go and download MS10-042 (Critical Patch): Vulnerability in Help and Support Center.
This update will resolve the problem described on Microsoft site as a patch to resolve security problem which exists in versions of Windows Help And Support Center for these two operation systems. It allows remote code to be executed on your system, when you visit specially formatted Web page or open specially created e@mail links. Though fairly dangerous, the security hole does not allow automatic e@maila activation.
If your automatic update feature is enabled most probably you are already safe from attackers, as it was included in auto update patches a week ago. Also note that the security hole needed a click on a link in an e@mail message to used, so chances are, if you surf safely, that you are not infected or affected in any way by the breach.
Though Microsoft company was unhappy with the decision of making such vulnerability in serious operation systems as Windows Server 2003, and though some damage was done to machines around the world, maybe such publication was needed, as it shortened the usual 60 days for patch creation to just over a month – making life easier to those who still use XP and Server 2003 – ageing, but still very useful and fast PC operation systems.