Microsoft on Thursday confirmed that Windows XP and Windows Server 2003 contain an unpatched bug that could be used to infect PCs by duping users into visiting rigged Websites or opening attack email. The company said it has seen no active in-the-wild attacks exploiting the vulnerability.
The bug in Windows' Help and Support Center -- a component that lets users access and download Microsoft help files from the Web -- doesn't properly parse the "hcp" protocol handler, Microsoft said in an advisory issued Thursday afternoon. Attackers can leverage the vulnerability by enticing users to malicious or hacked Websites, or by convincing them to open malformed email messages.
Windows Vista, Windows 7 , Windows Server, and Windows Server 2008 R2 are not vulnerable to the attack.
Microsoft plans to produce a patch, but has not set a release date. "Microsoft is currently working to develop a security update for Windows to address this vulnerability," the advisory stated. July 13 is Microsoft's next scheduled Patch Tuesday, but it sometimes issues patches outside its monthly plan. The last time it did so was in late March when it fixed a bug in Internet Explorer that attackers were aggressively exploiting.
The advisory was prompted by the bug's disclosure early Thursday , and the release of proof-of-concept attack code. Tavis Ormandy, a security engineer who works for Google in Switzerland, defended the decision to reveal the flaw only five days after reporting it to Microsoft. But Microsoft and other researchers questioned the quick publication.
Microsoft made no distinction between Ormandy and his employer in a blog post Thursday.