Microsoft (NASDAQ: MSFT) late last week confirmed the presence of a bug in Windows XP SP2 that could be used to infect PCs simply by tricking users to visit a specially-crafted website. The issue is related to a problem with the Windows Help and Support Center, specifically a bug in the "hcp" protocol handler that parses Microsoft help files.

The vulnerability was discovered by Google (NASDAQ: GOOG) engineer Tavis Ormandy, who highlighted how the Windows Help and Support Center in SP2 actually whitelists web-based support documents as an added precaution against precisely such a problem. "Unfortunately, an implementation error in the whitelist allows it to be evaded," Ormandy wrote.

According to Ormandy, a successful attack would most likely be invisible to the victim. Ormandy noted that "Perhaps the only unavoidable signal would be the momentary appearance of the Help Center window before the attacker hides it." Switching to use Firefox or Chrome will not help protect users from this particular attack.

Ormandy first informed Microsoft of the problem last Monday, before deciding to publicly reveal the details just four days later. The disclosure comes complete with proof-of-concept code of how to exploit the flaw, which reduces the difficulty of hackers trying to exploit it. Understandably, this has triggered criticism from other security researchers, especially Microsoft, who questioned the motives behind the quick publication of the exploit.

According to Network World, the fastest turnaround this year in which Microsoft released a patch was in January, when an emergency IE patch was used to fix a bug used to break into Google's corporate network. Microsoft says the vulnerability is limited to Windows XP and Windows Server 2003. For now, Microsoft urges users and system administrators to unregister the HCP protocol as a temporary workaround.

For more on this story:
- check out the article at Network World
- check out the article at CNET News
- check out the article at Search Security 

Related Articles:
Ex-Hacker: Apple is not more secure than Microsoft
Microsoft to rush emergency patch for Internet Explorer today
Released: Exploit code to bypass DEP security in Windows