Just a quick post here to provide an update on the attack attempts related to the Help and Support Center vulnerability and to stress the importance of applying the critical update made available today, MS10-042, which fixes the issue for the two vulnerable operating systems, Windows XP and Windows 2003.
A few weeks ago, MMPC reported seeing automated attacks that were identified by the signatures we had deployed in our protection products. These attack attempts have continued to expand and some new attack patterns have come into play. The attacks that we have witnessed in the wild work only on Windows XP (not Windows 2003). Early on, we saw attackers incorporate code to single out Windows XP targets, but more recently the attackers have been less discriminant, attempting this attack on a variety of operating systems, about half of which were not susceptible because the exploit code could have only been successful on a vulnerable version of Windows XP.
As of midnight on July 12 (GMT), over 25,000 distinct computers in over 100 countries/regions have reported this attack attempt at least one time. The chart below shows a fairly large increase over this past weekend, shortly after the MSRC announced that an update would be provided to fix this issue with the July security bulletin release.
These reports come from machines using our protection products and services, such as Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform. For more information about the signatures that detect this exploit and payloads delivered by it, see the previous post on this topic.
Changes in Country/Region Distribution
Although Portugal has remained one of the most targeted areas, attacks on Russian systems have surpassed it over the past few weeks. Russia has now seen more than ten times the number of attack attempts per computer in comparison to the global average. Other countries/regions that have seen more than the global average are predominantly in Europe and the UK. The UK, in particular, was one of the regions in which we witnessed a surge in attack attempts over this past weekend.
Considering MMPC has received telemetry on attack attempts in over 100 countries/regions, we recommend that everyone—regardless of their location—apply MS10-042 today on any of their systems running Windows XP or Windows 2003.
-Holly Stewart, MMPC