“A new vulnerability has been reported to the general public this morning via the “Full-Disclosure” mailing list, and it is quite troubling”, stated by Jonathan Davis, an IT Security Consultant in the Washington DC metro area.  He further stated, “There is a vulnerability that exists in the Windows help center application that is exploitable via many applications and vectors. Most notably it is exploitable via Internet Explorer, allowing a malicious web page to execute any executable file on a user’s system with any flags or parameters they desire. The possibilities for what this could be used for are endless, and the attack doesn’t require any fancy timing attacks or anything that is hard to do at all.”

Here is the link to the original disclosure by the founder of the vulnerability, Tavis Ormandy a Google engineer: http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/074986.html

Microsoft on Thursday confirmed the presence of a zero-day vulnerability stating that it affects Windows XP and Server 2003 systems.  They plan to issue an advisory later to provide workaround guidance to impacted users.

The post outlines some fairly painless workarounds that can be applied via GPO, namely this one:
“Few users rely on Help Center urls (hcp://), it is safe to temporarily disable them by removing HKCR\HCP\shell\open. This modification can be deployed easily using GPOs. For more information on Group Policy, see Microsoft’s Group
Policy site”

Users and companies are currently awaiting a fix.

Sources:

http://www.theinquirer.net/inquirer/news/1676668/xp-help-center-security-flaw-leaves-machines-wide

http://www.eweek.com/c/a/Security/Windows-XP-ZeroDay-Targeted-by-Hackers-in-Driveby-Attack-817982/

http://www/pcworld.com