ActiveX Vulnerability

by Michael on November 7th, 2006 in Industry and Security News, Security Alerts.

Todays security news: Microsoft has released a new Security Advisory based on a vulnerability in part of the Microsoft XML Core Services 4.0, which could allow for remote code execution. The vulnerability is caused by an error in XMLHTTP 4.0 ActiveX Control.

Malicious hackers have reportedly already begun to exploit the flaw, which has not yet been patched.

Attackers may use this function to host a website designed to exploit the vulnerability through Internet Explorer; an attacker wouldn't have a way to force you to visit these websites, but would "persuade" you to click a link in an e-mail, instant message, or banner ad, Microsoft says.

How do you know if you're affected? Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 are on the list of affected software.

Windows Server 2003 and Windows Server 2003 Service Pack 1, in their default configurations (with the Enhanced Security Configuration turned on), are not affected, the advisory says.

This is Microsofts second major zero-day vulnerability during the past week.

Microsoft says they will release a security update either as part of their monthly patch cycle (the second Tuesday of every month, for those of you not in the "Patch Tuesday" loop), or as an out-of-cycle update.

We'll keep you posted. In the meantime, make sure your system is updated and don't click on any suspicious links!