AfterDawn: Tech news
AfterDawn > News > Criminals target unpatched Windows XP bug

Criminals target unpatched Windows XP bug

Written by James Delahunty @ 15 Jun 2010 10:43 User comments (5)

Criminals target unpatched Windows XP bug A few days ago, we reported about a controversial disclosure of an exploitable vulnerability that affects Windows XP and Windows Server 2003. Google engineer Tavis Ormandy had alerted Microsoft of the problem and then just five days later published an advisory detailing the bug, even though no patch had been distributed by Microsoft for the problem.
Ormandy was heavily criticized for not waiting until the Redmond software giant had pushed out an update for the bug, which affects the Windows Help and Support Center. His affiliation with Google also fueled some speculation of his motivation for publishing the advisory early. However, Ormandy has consistently defended himself, indicating this is probably the only way to ensure that Microsoft will release a patch.



The flaw was disclosed only last Thursday, but anti-virus provider Sophos has already found that the vulnerability is being targeted by criminal hackers. The bug could potentially allow an attacker to execute code on a victims computer using specially crafted webpages or crafted links in e-mail messages.

While the original bug affects Windows Server 2003, Microsoft's analysis found that only Windows XP is vulnerable to the attacks. Currently, the crafted webpages download an execute malware (Troj/Drop-FS) on a victims computer, according to Sophos.

Microsoft amended its own advisory on the bug, adding that the company is aware that limited, targeted active attacks are happening as a result of the issue.

Windows XP users concerned about the bug can use Microsoft's online FixIt application to disable vulnerable features in the Help and Support Center.

<E3 2010: PlayStation Plus premium PSN access revealed, 50 million PSN accounts >NVIDIA pushing '3D PC' spec
Previous Next  

5 user comments

115.6.2010 22:51
KillerBug
Send private message to this user
AfterDawn Addict

I'm sure MS will get right on this...as soon as their lawyers tell them they have to.

215.6.2010 23:03
biglo30
Send private message to this user
Senior Member

The guy who released the code is a serious bitch, who cares about how long Microsoft took to fix the vulnerability at least we know they will get it fixed, its not like they don't have anything else to do lus they already want to drop support for it. Now this idiot has exposed a vast amount of xp users to it which could have been prevent had he not released it with detail. No excuse that was just wrong.

316.6.2010 01:29
KillerBug
Send private message to this user
AfterDawn Addict

"at least we know they will get it fixed"

That is just the thing; microsoft leaves a lot of security holes open for years and years while hackers know about the holes; they patch the easy ones, but the hard ones don't even get fixed for the service packs; in fact some of the security holes in windows 7 have been there since windows 2000, and some even go back to NT4! At least my making a big, public spectacle of the problem, he has forced microsoft to fix the problem...oh wait, it still isn't fixed; they just released a tool to disable features until they fix them...and it isn't even an automatic update. Microsoft should spend less time blaming the person who reported the problem and more time fixing the problem!

416.6.2010 11:40
Dela
Send private message to this user
Staff Member

Originally posted by KillerBug:
 "at least we know they will get it fixed"

That is just the thing; microsoft leaves a lot of security holes open for years and years while hackers know about the holes; they patch the easy ones, but the hard ones don't even get fixed for the service packs; in fact some of the security holes in windows 7 have been there since windows 2000, and some even go back to NT4! At least my making a big, public spectacle of the problem, he has forced microsoft to fix the problem...oh wait, it still isn't fixed; they just released a tool to disable features until they fix them...and it isn't even an automatic update. Microsoft should spend less time blaming the person who reported the problem and more time fixing the problem!
Asked you the last time you commented on these security holes, which security hole are you referring to that's been around since NT debuted that still affects Windows 7?

517.6.2010 22:42
ChappyTTV
Send private message to this user
Member

Originally posted by Dela:
Originally posted by KillerBug:
 "at least we know they will get it fixed"

That is just the thing; microsoft leaves a lot of security holes open for years and years while hackers know about the holes; they patch the easy ones, but the hard ones don't even get fixed for the service packs; in fact some of the security holes in windows 7 have been there since windows 2000, and some even go back to NT4! At least my making a big, public spectacle of the problem, he has forced microsoft to fix the problem...oh wait, it still isn't fixed; they just released a tool to disable features until they fix them...and it isn't even an automatic update. Microsoft should spend less time blaming the person who reported the problem and more time fixing the problem!
Asked you the last time you commented on these security holes, which security hole are you referring to that's been around since NT debuted that still affects Windows 7?
Exactly....please elaborate with facts, or STFU.
MS doesn't make a habit of not patching known security holes, and there are zero NT to W7 cross platform exploits that I'm aware of (that aren't patched), and I've worked in the PC Security industry (Independant analyst/tester).
I think you're just a "bash MS" bandwagon rider myself, willing to float whatever rumor suits your fancy, without ever explaining them.
Sure...everyone knows Windows is a security nightmare, I'll just drop this made up (but plausible sounding) post out there, all the other wagon jumpers will surely line up to rattle the cages even more, and nobody will ever be the wiser...right?

Wrong...this sh!t is getting old really fast. Normal PC users trying to make a name for themselves on forums by being all blustery and flying the bash flag higher than the others. Maybe all of the others will think you're a cool geeky type because you post claims that all the other wagoneers will roll with gleefully without question, but those in the know are sick of this cr@p and are gonna start calling you on this.

Despite what you think, the entire security industry will think this guy is in the wrong by releasing exploit data before a proper fix can be released. The only thing he's "forcing" is the criminals...to exploit as much as they can before a patch is released thru WU.

Now, go burn up Google search trying to find something that can back up your "claims" and get back to us ASAP.
This message has been edited since its posting. Latest edit was made on 17 Jun 2010 @ 10:45

Comments have been disabled for this article.

Latest news

YouTube Premium starts showing ads to subscribers YouTube Premium starts showing ads to subscribers (13 Nov 2024 3:09)
For years, YouTube Premium has been marketed as a way to enjoy an ad-free YouTube experience. But apparently, that is no longer the case, as Premium subscribers are now starting to see ads on the platform.
1 user comment
Android 16 will launch sooner than expected Android 16 will launch sooner than expected (01 Nov 2024 6:45)
Google announced that upcoming Android 16 will break the traditional once-a-year cycle of major Android launches. Next Android is poised to launch in Q2 of 2025, so Android 16 should ship before end of June, 2025.
Winamp ends its open source project that wasn't really open source Winamp ends its "open source" project that wasn't really open source (20 Oct 2024 11:12)
Less than a month after the legendary MP3 player Winamp made its source code public, the company has made a sudden U-turn and removed its code from distribution.
2 user comments
Winamp released its source code - but didn't go open source Winamp released its source code - but didn't go open source (25 Sep 2024 12:38)
The source code of Winamp has now been officially released. However, it hasn't become a pure open-source project, as its licensing terms prohibit the creation of new, different versions.
Does your phone rattle? Here's why it happens Does your phone rattle? Here's why it happens (25 Aug 2024 8:30)
When you shake your phone and hear a light rattle, clatter, or jingle, it's likely not broken. The culprit is probably the optical image stabilization (OIS) system in your phone's camera, meaning everything is functioning as it should.
2 user comments

Reviews

Roborock S8 MaxV Ultra review - obstacle avoidance doesn't work as it should, otherwise almost perfect robot vacuum Roborock S8 MaxV Ultra review - obstacle avoidance doesn't work as it should, otherwise almost perfect robot vacuum
We put the Roborock S8 MaxV Ultra through a very, very long review process. The $1800 mopping robot vacuum is almost perfect, but its obstacle avoidance was surprisingly bad, considering the price - and compared to its competitors.
Sharge x OnePlus Pouch review: Beautiful power bank that supports SuperVOOC charging Sharge x OnePlus Pouch review: Beautiful power bank that supports SuperVOOC charging
In our review, we take a look at Sharge's power bank that supports OnePlus SuperVOOC quick charging technology as well as standard USB PD charging. It has small design flaws, but despite those, the Pouch is very nice product.
1 user comment
Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets
Roomba Combo j7+ is the very first Roomba model to combine robot vacuum with mopping features. And Roomba Combo j7+ does all that with a very clever trick, which tackles the problem with mopping and carpets. But is it any good? We found out.

Guides

What IP rating for dust and water resistance means What IP rating for dust and water resistance means
An IP classification (such as IP68) is given to mobile phones, Bluetooth speakers, and other devices, but what do these classifications mean?
1 user comment
Guide: Is Your Wi-Fi Sluggish or Slow? Here's How to Fix Guide: Is Your Wi-Fi Sluggish or Slow? Here's How to Fix
Do you have problems with you Wi-Fi? Slow connection or is it cutting off constantly? This guide aims to remedy these problems.
1 user comment
What happens if you don't update Android? What happens if you don't update Android?
Sometimes it can be tempting to avoid updating to a new Android version. What happens if you decide to delay major updates to the OS?
Guide: Phone battery drains quickly - how to fix (iPhone / Android) Guide: Phone battery drains quickly - how to fix (iPhone / Android)
In this guide, we go through the most typical reasons for rapid battery drain with phones, and look at potential reasons or solutions.
Does your phone rattle? Here's why it happens Does your phone rattle? Here's why it happens
When you shake your phone and hear a light rattle, clatter, or jingle, it's likely not broken. The culprit is probably the optical image stabilization (OIS) system in your phone's camera, meaning everything is functioning as it should.
2 user comments

News archive

Sections:

Follow us:

© 1999-2024 AfterDawn Oy. All rights reserved
Back to Top ⇧
AfterDawn is powered by Powered by UpCloud