Second Zero-Day Vulnerability Hit Windows
Microsoft realized that attackers are trying to take advantage of a critical, unpatched security hole existing in all versions of Windows baring Windows 2003 to destabilize PCs. The company happens to confront such threat for the second time in less than a week.
The Microsoft XML Core Service 4.0 ActiveX Control facilitates interoperability between applications based on XML 1.0 standard and Microsoft's Jscript, VBScript and Visual Studio 6.0 programming environments. An unspecified error in XMLHTTP 4.0 ActiveX Control hampers a part of the XML Core Services that consequently distorts interoperability, thereby rendering the system vulnerable.
Hackers have specific website hosting malicious code and bug that has potential to infect large number of systems. Hackers exploit the existing flaw to inject malware or bug onto any PC that visits or connects to the specific website requiring no user interaction as such. PC users can visit such website on their own using IE or hackers can lure users through interesting links, specially designed web pages or social web-platform like Myspace and also through advertisements on third-party websites.
This is the second case of exploit in a week following the first zero-day ActiveX Control vulnerability that affected a component of Microsoft Visual Studio 2005. But fortunately, that component was not installed in PCs of many people and Internet Explorer 7 has that crippled by default. However, the second case is more vulnerable with the remaining ActiveX controls enabled by default.
Ben Richeson, Program Manager, Microsoft Security Research Center, posted in a recent blog that the company is aware of limited attacks trying to misuse the reported vulnerability and assured to issue updates in case continuous monitoring indicates change in situation. The flaw is under investigation and Microsoft will soon decide whether to release a security update as part of its routine monthly patch release or issue an out-of-cycle update.
In the mean time, Microsoft suggested that along with good computing and surfing practices, users should adjust the security restrictions in their PCs or set the kill-bit for the affected ActiveX Control.
» SPAMfighter News - 13-11-2006