Microsoft has said it’s seeing an escalating number of attacks exploiting the unpatched Windows Help and Support Center vulnerability that was publicized last month.
Tavis Ormandy, a Google research, has drawn criticism for releasing details of the vulnerability and proof-of-concept exploit code on the Full Disclosure security list less than a week after he told Microsoft of it.
The vulnerability allows the remote installation of malcode on Windows XP and Server 2003 machines by drive-by downloads from malicious web sites.
Microsoft said it had monitored attacks on 10,000 machines with the volumes largest in United States, Russia, Portugal, Germany, and Brazil.
Microsoft said: “At first, the attacks seemed to focus on downloading Obitel, which is malware that simply downloads other malware. However, most recently, downloads have run the gamut, varying in methodology (some direct downloads, but also some downloads involving single or double script redirects, which our products detect as TrojanDownloader:JS/Adodb.F and TrojanDownloader:JS/Adodb.G, and also varying in payload.”
They also said, “Starting last week, we started seeing seemingly-automated, randomly-generated html and php pages hosting this exploit. This attack methodology constitutes the bulk of attacks that have continued to flourish into this week.”
There is no word on when Microsoft expects to fix the vulnerability.
Microsoft Malware Protection Center blog here: “Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)”
Microsoft advisory with work-around here: Microsoft Security Advisory (2219475)
I think Tavis Ormandy just made himself the poster boy for responsible disclosure.
Tom Kelchner