Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Second Zero-Day Vulnerability Hit Windows

Microsoft realized that attackers are trying to take advantage of a critical, unpatched security hole existing in all versions of Windows baring Windows 2003 to destabilize PCs. The company happens to confront such threat for the second time in less than a week.

The Microsoft XML Core Service 4.0 ActiveX Control facilitates interoperability between applications based on XML 1.0 standard and Microsoft's Jscript, VBScript and Visual Studio 6.0 programming environments. An unspecified error in XMLHTTP 4.0 ActiveX Control hampers a part of the XML Core Services that consequently distorts interoperability, thereby rendering the system vulnerable.

Hackers have specific website hosting malicious code and bug that has potential to infect large number of systems. Hackers exploit the existing flaw to inject malware or bug onto any PC that visits or connects to the specific website requiring no user interaction as such. PC users can visit such website on their own using IE or hackers can lure users through interesting links, specially designed web pages or social web-platform like Myspace and also through advertisements on third-party websites.

This is the second case of exploit in a week following the first zero-day ActiveX Control vulnerability that affected a component of Microsoft Visual Studio 2005. But fortunately, that component was not installed in PCs of many people and Internet Explorer 7 has that crippled by default. However, the second case is more vulnerable with the remaining ActiveX controls enabled by default.

Ben Richeson, Program Manager, Microsoft Security Research Center, posted in a recent blog that the company is aware of limited attacks trying to misuse the reported vulnerability and assured to issue updates in case continuous monitoring indicates change in situation. The flaw is under investigation and Microsoft will soon decide whether to release a security update as part of its routine monthly patch release or issue an out-of-cycle update.

In the mean time, Microsoft suggested that along with good computing and surfing practices, users should adjust the security restrictions in their PCs or set the kill-bit for the affected ActiveX Control.

Related article: Second Life Exploit Allows Hackers Steal Linden Currency from Avatars

ยป SPAMfighter News - 11/13/2006

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page