On June 10th, Microsoft warned of a vulnerability in the Help and Support function of Windows XP SP2 or SP3. The vulnerability was first discovered by Google’s senior security researcher, Tavis Ormandy, who after notifying Microsoft of the vulnerability, released a proof of concept code a few days later. His defense for releasing the proof of concept code was “I would like to point out that if I had reported the MPC::HexToNum() issue without a working exploit, I would have been ignored”.
The proof of concept code is now being used at an increasing rate to target the unpatched computers. Holly Stewart with the Microsoft Malware Protection Center, has stated that over 10,000 distinct computers have reported seeing the attack at least one time.
Attacks started being reported around June 15th, but only in a limited number, however, “in the past week attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution”, according to Stewart.
According to the Microsoft Malware Protection center the largest areas of attack in terms of volume are: United States, Russia, Portugal, Germany, and Brazil, with Portugal seeing the majority of the attacks.
If you are running Windows XP SP2 or SP3 the only current workaround until Microsoft releases a patch is to Unregister the HCP Protocol which disables hcp:// style links.
Microsoft has released a Fix It dedicated to Unregister the HCP Protocol. It will download the tool, create a Restore Point, and remove the HCP registry entry. If you are running Windows XP SP2 or SP3 download it immediately.
It is noted that Windows Server 2003 was included but Microsoft has since stated that “Based on the samples analyzed, Windows Server 2003 systems are not currently at risk from these attacks”