Microsoft is exploiting a vulnerability in its latest version of Windows to deliver a Windows trojan that infects a large number of websites and steals sensitive data, a security researcher said Monday.
The researcher, Ryan Smith, said the exploit, which was first reported by SecurityWeek, is the first to show that Microsoft can remotely trigger a remote code execution vulnerability in a vulnerable version of the Windows operating system.
Smith said Microsoft has not publicly disclosed the exploit code or any details of how it was implemented, but he said the flaw could have been used to steal sensitive information, including user passwords.
The flaw is only in Windows XP, which Microsoft discontinued in 2012, and it was only discovered by Smith after Microsoft stopped testing and releasing security updates.
Microsoft said the flaws were fixed in March and February, respectively, and said the issue was resolved last month.
Smith did not elaborate on what the flaw did or why it was not patched.
Microsoft does not normally provide details about new vulnerabilities.
The exploit code has been downloaded by tens of thousands of computers worldwide, he said, and was available for free on the Dark Web for months.
Microsoft has since fixed the vulnerability.
In the exploit’s video, which can be viewed on the SecurityWeek website, a user types a username and password into a Web browser.
The malicious code then launches a “remote command execution” process that steals user credentials and the computer’s hard drive.
The Web browser then sends a request to the Windows registry to retrieve data that the computer has previously saved.
Smith said the code can also read the registry and inject malicious code.
Smith noted that it is not clear what the malware does with the stolen data, and the exploit does not appear to have any other malicious intent.
Microsoft did not immediately respond to a request for comment.
The vulnerability could have led to a Windows user who has installed the vulnerable version and installed the Web browser trojan on a computer without having the vulnerability fixed.
The Web browser is installed in Windows 7, which has the same vulnerability as XP.
The exploit is only available in Windows 8 and later.
Microsoft is notifying users who have downloaded the exploit to apply it to their computers.
It is also offering a free fix for the vulnerability that is not available on the Internet.
Smith did not disclose the details of the fix.
Microsoft has released patches to fix the flaws, but Smith said that many websites have not yet received the fixes.
Microsoft is also working with security vendors to make sure that vulnerable versions of the Web browsers are patched as quickly as possible.