The patch includes a fix for a flaw in the XML HTTP 4.0 ActiveX Control component of the XML Core Service. Microsoft last issued a security bullet in about the vulnerability and warned that attackers were actively exploiting the flaw.
The update also repairs three critical vulnerabilities in Internet Explorer 6, all of which are rated "critical".
Two of the flaws affect the Direct Animation ActiveX Controls, which attackers could exploit by luring a user to a specially crafted website. Upon infection, the attacker can install spyware or other malware on a system without any user interaction. Microsoft warned that attackers are actively exploiting the flaw.
The third Internet Explorer 6 flaw too could allow for remote code execution if attackers succeed to lure users to a specially crafted website. The vulnerability is caused by a design flaw in the way that the browser interprets HTML code with certain layout combinations. Microsoft said that it isn't aware of any exploits.
The Sans Internet Storm Center rated both the XML Core Services and Internet Explorer updates as the most urgent.
The remaining updates affect the Microsoft Agent, Adobe's Flash player and the Workstation Service. All of those flaws could allow an attacker to take over control of a system, but Microsoft said that it isn't aware of any active exploits.
Users can update their systems through the auto update feature by downloading the patches from the Microsoft website.
The remaining two patches affect Novell's Netware technology and received severity ratings of "moderate" and "low".
Microsoft plugs seven critical security holes
By Tom Sanders on Nov 15, 2006 8:58AM