Written by 
A Google security engineer has identified a zero-day flaw affecting Windows XP, 2003 and possibly other Windows systems.
Tavis Ormandy found the flaw in a component of the Windows Help and Support Center which is accessed via the ‘hcp://’ protocol handler.
A correct exploitation could give an attacker complete user access to any PC running the vulnerable operating system.
“At least Windows XP and Windows Server 2003 are affected. The attack is enhanced against IE >= 8 and other major browsers if Windows Media Player is available, but an installation is still vulnerable without it,” he wrote on the Full Disclosure mailing list.
“Machines running versions of IE less than 8 are, as usual, in even more trouble. In general, choice of browser, mail client or whatever is not relevant. They are all equally vulnerable.”
Ormandy alerted Microsoft to the problem on 5 June and his submission was logged and acknowledged. But the fact that he published a full analysis of the flaw, a working exploit and a suggested workaround four days later has drawn a sharp rebuke from Microsoft.
