Google engineer unveils bug that attacks Windows XP

Google engineer Tavis Ormandy has exposed the bug that attacks the Windows XP systems. Now he is finding himself under trouble over making the bug public just five days after informing Microsoft about the vulnerability.Microsoft is now investigating the issue and is expected to release a fix for it relatively soon.  Ormandy is a security engineer for Google in Switzerland and found a flaw in Windows XP's Help and Support Center. It lets hackers access and download Microsoft help files that can then be used to launch remote support tools on a local PC. Ormandy posted an example of the attack code to the Full Disclosure security mailing list on June 10th, five days after notifying Microsoft of the weakness.

The attack can be performed using all major browsers, including Firefox, Chrome and the latest IE8. When Windows Media Player is on the targeted machine, the process is even easier, Ormandy said. He went public with the problem because he believed Microsoft would ignore him otherwise and dismiss the warning.
The vulnerability is simple to understand. Windows XP comes with a help database"Help and Support Center" ;that pulls information from a list of approved Web pages in order to assist users in troubleshooting their system's issues.

It is possible to add URLs to this white list, which essentially transforms a compromised Windows XP system into a ticking time bomb. Once the Help and Support Center is pulled up, it could grab a remotely hosted file or execute a command under the same privileges as the current user 'an especially problematic situation if said user represents a given system's administrative account