AOH :: ISN-3235.HTM

Microsoft Warns of New Windows Zero-Day Flaw

Microsoft Warns of New Windows Zero-Day Flaw
Microsoft Warns of New Windows Zero-Day Flaw,1895,2052269,00.asp 

By Ryan Naraine
November 6, 2006

Microsoft has released a security advisory with workarounds for a 
critical zero-day vulnerability affecting Windows users and warned that 
malicious hackers are already exploiting the flaw in live attacks.

The advisory provides prepatch mitigation for a bug in Microsoft XML 
Core Services, formerly known as the Microsoft XML Parser, a service 
that lets users create applications that interoperate with the XML 1.0 

The vulnerability is caused by an unspecified error in the XMLHTTP 4.0 
ActiveX Control and is rated "extremely critical" by security alerts 
aggregator Secunia, in Copenhagen, Denmark.

Affected software includes Windows 2000 (including Service Pack 4), 
Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 
Service Pack 1. Microsoft said customers who are running Windows Server 
2003 and Windows Server 2003 Service Pack 1 in default configurations, 
with the Enhanced Security Configuration turned on, are not affected.

According to an alert from IBM's ISS X-Force, hackers are already using 
the Internet Explorer browser as an attack vector. "These exploits 
target Internet Explorer through a vulnerable ActiveX control. 
Successful exploitation of this vulnerability may result in remote code 
execution," the Atlanta-based company said.

All supported versions of Internet Explorer are vulnerable, including 
the newly released IE 7.

The flaw is the result of the core XML engine's inability to correctly 
handle proper arguments passed to one of the methods associated with the 
XML request object. "This improper handling results in memory corruption 
and ultimately may result in remote code execution," ISS X-Force said.

Microsoft confirms the flaw could use IE to trigger code execution 
attacks and warned that banner advertisements and other methods of 
distributing Web content could also be dangerous.

The Redmond, Wash., software maker recommends that IE users disable 
attempts to instantiate the vulnerable ActiveX control by setting the 
kill bit in the registry. Other workarounds, available from the 
advisory, include configuring IE to prompt before running Active 

It is the second major zero-day confirmed by Microsoft during the past 
week. On Nov. 1, the company issued a warning for an "extremely 
critical" vulnerability in Microsoft Visual Studio 2005 that could put 
users at risk of remote code execution attacks.

Exploit code for the Visual Studio 2005 flaw is publicly available. 
According to Metasploit founder HD Moore, the proof-of-concept exploit 
has been available in the point-and-click hacking tool since August.

Visual Studio 2005, formerly known as "Whidbey," is an integrated 
development environment that offers a suite of tools to help programmers 
build software, Web sites, Web applications and Web services. It is the 
latest version of Microsoft's developer tools and includes Visual Basic, 
Visual C++, Visual C# and visual J#.

Microsoft said the vulnerability is caused due to an unspecified error 
in the WMI Object Broker ActiveX Control (WmiScriptUtils.dll), which is 
used by the WMI Wizard in Visual Studio to instantiate other controls. 
An attacker could use the flaw to "take complete control of the affected 

The next batch of scheduled patches from Microsoft is due Nov. 14.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods