Late last week Microsoft released a security bulletin, Microsoft Security Advisory (2219475), that addressed an issue in Windows Help and Support Center in supported editions of Windows XP and Windows Server2003.
This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof of concept exploit code has been published for the vulnerability. However, Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Affected Software:
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
There is some controversy surrounding this vulnerability because the Google engineer who found it apparently did the right thing and told Microsoft about it but then they released code to exploit the issue within 5 days. This was before Microsoft has a chance to develop a solution.
In the scheme of things sounds unprofessional to me. Why go to the bother of telling Microsoft about it privately and then release the exploit before the fix is out?
Anyway, Microsoft now has a solution in place to deal with this and they make it easy to get the fix.
If your running one of the systems listed above then head over to the Microsoft Support page – http://support.microsoft.com/kb/2219475 – and use the Microsoft Fix it Solution provided.
That is it – easy to do!