XP vulnerability outed by Googler being exploited

The recent Microsoft Windows Help and Support Center vulnerability outed by a Google engineer is being exploited in the wild.

A compromised website has been found that uses the exploit to drop a Trojan horse onto unsuspecting users' computers.

Tavis Ormandy, a Swiss Google employee, found the vulnerability in Windows XP's Help and Support Center, and gave the company just five days to fix the problem before going public with details of how hackers could write code to exploit it.

The vulnerability afflicts the Help and Support Center for Windows XP and Server 2003.

Ormandy wrote that hackers could use a web page to run dodgy commands using the remote assistance tool, which tech support staff would use to guide users through a problem with their PC.

"Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user," Ormandy wrote.

Now Sophos reports that that is exactly what's happening.

Orrmandy said he'd alerted Microsoft the presence of the vulnerability. "I've concluded that there's a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security," he wrote.

But Sophos brands the the outing of the bug as "irresponsible".

Sophos proactively detects the page as Sus/HcpExpl-A, and the Trojan horse it downloads as Troj/Drop-FS.

On his blog, Sophos spokesman Graham Cluley, writes: In my opinion publishing exploit code was utterly irresponsible behaviour, and I was worried that having such information floating around the Internet would make it easy for cybercriminals to take advantage."

He continues: "A responsible security researcher would have been happy working with Microsoft on a successful resolution of the issue, and only shared details once a safe patch had been developed. Five days isn't a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct."

Clearly miffed Cluley writes: "So my question to Mr Ormandy is this - do you feel proud of your behaviour? Do you think that you have helped raise security on the Internet? Or did you put your vanity ahead of others' safety?"

Google has a record of attacking Microsoft's security in the press and is clearly engaged in an attempt to undermine the outfit's reputation, something it is quite capable of doing on its own.

Ormandy has done so himself in the past and posts his missives as apparently-unaffiliated bystander rather than a Google employee. This time he may have gone too far.