Attacks exploit Microsoft XML Core Services flaw

Attacks exploiting a dangerous zero-day vulnerability in Microsoft XML Core Services were spotted over the weekend.

The unpatched flaw allows for remote code execution and was labeled "extremely critical," the most severe threat rating issued by vulnerability assessment firm Secunia.

Specifically, the vulnerability is caused by an error in the XMLHTTP 5.0 ActiveX Control, part of the Core Services program, which lets customers who use Jscript, Visual Basic Scripting Edition and Microsoft Visual Studio 6.0 construct, validate and process XML-based applications.

Security experts said exploits should only increase as code becomes more publicly available.

"This equates to another means for drive-by attacks via Internet Explorer (IE)," Craig Schmugar, McAfee Avert Labs' virus research manager, said Sunday in a blog post. "Exploitation is not believed to be widespread at this time, but we can expect exploit code to become public early in the week at which point exploitation will pick up exponentially."

But Microsoft, in its advisory, said customers running Windows Server 2003 are not affected if their default settings remain active. Also, users must visit an attacker's website to be infected.

"An attacker would have to persuade users to visit the website, typically by getting them to click a link in an email message or in an instant messenger request that takes users to the attacker's website," according to the advisory. "It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems."

As a fix before a patch is issued, Redmond recommended that users set the kill bit for the XMLHTTP 4.0 Active X Control.

This is the second flaw in less than a week related to ActiveX controls.

Last Wednesday, Microsoft reported that Visual Studio 2005 contains a flawed WMI Object Broker ActiveX control that is exploitable by a malicious website viewed on IE.

Both bugs may be patched in Microsoft's next security update, scheduled for Nov. 14.

Click here to email Dan Kaplan.

Sign up to our newsletters