Attacks Targeting HCP Vulnerability Launched from Vodafone UK Website

AVAST Software reports that Vodafone's UK website has been infected with malicious scripts, which attempted to exploit their visitors. The attacked targeted the still unpatched remote code execution vulnerability in the Windows XP Help Center.

According to the antivirus vendor, the malicious code injected by unknown hacker into the high profile website was still active earlier this week. The methods used to infect the website have not been revealed, but it is likely that the compromise was part of a larger mass injection attack.

Avast detects the rogue script as HTML:Script-inf and notes that it currently accounts for twenty percent of all infected UK pages. However, even more concerning is that the exploit used in this attack targets a zero-day Windows XP critical vulnerability.

"The problem is particularly bad because the CVE-2010-1885 vulnerability targets the most widely used version of Windows, and at the present time it is still un-patched. This means that even if a user is running a fully updated Windows XP SP3 with all the security patches, the user is still vulnerable," explains Ondrej Vlcek, the antivirus company's CTO.

The CVE-2010-1885 vulnerability, also referred to as the HCP bug, because it abuses the hcp:// protocol handler to execute arbitrary code, was publicly disclosed earlier last month by Tavis Ormandy, a security researcher working at Google. The flaw only affects Windows XP systems and Microsoft has released a temporary fix, which disables the use of hcp:// (Windows Help Center) links system-wide.

Hackers initially exploited the vulnerability to push malware via compromised websites in attacks known as drive-by downloads. However, Microsoft recently announced that their number has significantly increased and the methodologies used to target users are more varied.

Just yesterday we reported that Symantec researchers intercepted a highly targeted attack, which attempted to install malware on the network of a U.S. defense contractor. The attack employed sophisticated social engineering techniques and attempted to exploit the HCP vulnerability.

You can follow the editor on Twitter @lconstantin