By Ryan Naraine
November 6, 2006
Microsoft has released a security advisory with workarounds for a
critical zero-day vulnerability affecting Windows users and warned that
malicious hackers are already exploiting the flaw in live attacks.
The advisory provides prepatch mitigation for a bug in Microsoft XML
Core Services, formerly known as the Microsoft XML Parser, a service
that lets users create applications that interoperate with the XML 1.0
The vulnerability is caused by an unspecified error in the XMLHTTP 4.0
ActiveX Control and is rated "extremely critical" by security alerts
aggregator Secunia, in Copenhagen, Denmark.
Affected software includes Windows 2000 (including Service Pack 4),
Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003
Service Pack 1. Microsoft said customers who are running Windows Server
2003 and Windows Server 2003 Service Pack 1 in default configurations,
with the Enhanced Security Configuration turned on, are not affected.
According to an alert from IBM's ISS X-Force, hackers are already using
the Internet Explorer browser as an attack vector. "These exploits
target Internet Explorer through a vulnerable ActiveX control.
Successful exploitation of this vulnerability may result in remote code
execution," the Atlanta-based company said.
All supported versions of Internet Explorer are vulnerable, including
the newly released IE 7.
The flaw is the result of the core XML engine's inability to correctly
handle proper arguments passed to one of the methods associated with the
XML request object. "This improper handling results in memory corruption
and ultimately may result in remote code execution," ISS X-Force said.
Microsoft confirms the flaw could use IE to trigger code execution
attacks and warned that banner advertisements and other methods of
distributing Web content could also be dangerous.
The Redmond, Wash., software maker recommends that IE users disable
attempts to instantiate the vulnerable ActiveX control by setting the
kill bit in the registry. Other workarounds, available from the
advisory, include configuring IE to prompt before running Active
It is the second major zero-day confirmed by Microsoft during the past
week. On Nov. 1, the company issued a warning for an "extremely
critical" vulnerability in Microsoft Visual Studio 2005 that could put
users at risk of remote code execution attacks.
Exploit code for the Visual Studio 2005 flaw is publicly available.
According to Metasploit founder HD Moore, the proof-of-concept exploit
has been available in the point-and-click hacking tool since August.
Visual Studio 2005, formerly known as "Whidbey," is an integrated
development environment that offers a suite of tools to help programmers
build software, Web sites, Web applications and Web services. It is the
latest version of Microsoft's developer tools and includes Visual Basic,
Visual C++, Visual C# and visual J#.
Microsoft said the vulnerability is caused due to an unspecified error
in the WMI Object Broker ActiveX Control (WmiScriptUtils.dll), which is
used by the WMI Wizard in Visual Studio to instantiate other controls.
An attacker could use the flaw to "take complete control of the affected
The next batch of scheduled patches from Microsoft is due Nov. 14.
Visit the InfoSec News store!