Joined: Jul 08, 2008 Posts: 2637 Location: Tampa Florida
Posted: Wed Jun 16, 2010 7:34 pm Post subject: Zero day flaw for Windows XP exploited
A ZERO DAY FLAW in Windows XP that was outed last week by a Google engineer is being exploited.
According to media friendly Graham Cluley, senior technology consultant at the insecurity firm Sophos a compromised website is serving an exploit of the bug in Windows' Help and Support Center to hijack PCs running Windows XP.
Cluley has not identified the website, but said that the exploit is a classic drive-by attack that only requires a Windows XP user to visit it.
Last week Microsoft listed two potential attack vectors for Windows XP and this was one of them. The other involved convincing users to open malicious e-mail messages.
The flaw was first revealed by Tavis Ormandy, a security engineer at Google. He revealed the flaw only five days after reporting it to Microsoft. He said that he revealed the flaw because Microsoft would not commit to fixing the bug in 60 days, and even posted sample exploit code.
Writing in his blog, Cluley called Ormandy's action "utterly irresponsible," and asked, "Tavis Ormandy -- are you pleased with yourself?"
"Five days isn't enough time to expect Microsoft to develop a fix, which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct," Cluley said.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum