Microsoft is warning against a new exploit in all Windows versions except Windows 2003 that is actively being exploited by attackers.
The flaw affects a part of the Microsoft XML Core Services 4.0 that is referred to as the XMLHTTP 4.0 ActiveX Control. The Core Service technology provides interoperability between applications that are based on the XML 1.0 standard and Microsoft's Jscript, VBScript and Visual Studio 6.0 programming environments.
The flaw allows attackers to take over control of a system. They could exploit the flaw by luring their victims to a specially crafted website or a page on a social service like Myspace. They could exploit the vulnerability through specially crafted advertisements that are placed on third party websites.
Microsoft warned that the company is aware of "limited attacks" exploiting the flaw.
The software vendor didn't provide a security rating. Security website Secunia rated the bug as "extremely critical", its most severe rating.
Alex Eckelberry, a president with security vendor Sunbelt Software, on his blog downplayed the threat. The company so far detected only one site exploiting the flaw, and claimed that the exploited was poorly engineered.
"If you ask me, this is a pretty crappy exploit (in that it doesn’t work all that well)," wrote Eckelberry.
Microsoft is currently investigation the flaw. The company at a later point will decide if a security update is released as part of its patch release cycle on the second Tuesday of each month or as an out-of-cycle update.
Windows hit by "extremely critical" 0-day vulnerability
By Tom Sanders on Nov 7, 2006 11:38AM