November 6, 2006 4:25 PM PST

Attackers dig into zero-day flaw

By Greg Sandoval
Staff Writer, CNET News

Related Stories: Attack code out for Visual Studio flaw
November 1, 2006

An "extremely critical" vulnerability has been discovered in Microsoft's XML Core Services, according to several security companies.

The vulnerability, which affects only systems running Internet Explorer, is caused by an unspecified error in the XMLHTTP 4.0 ActiveX Control and could be used to seize control of an affected system, according to an advisory from Secunia, a security company based in Denmark.

IBM-owned ISS X-Force detailed on its site the kind of damage that could be caused by the vulnerability.

"This could lead to loss of confidential information, disruption of business, or further compromise," according to the security company.

For the vulnerability to be exploited, a user would have to visit a malicious Web site, Secunia said.

Microsoft acknowledged that the bug is already being exploited, in a note posted to the company's site.

"We are aware of limited attacks that are attempting to use the reported vulnerability," Microsoft said.

Some of the software that may be affected includes Windows 2000, Windows XP Service Pack 2 and Windows Server 2003.

People running Windows Server 2003 and 2003 Service Pack 1 in the default configuration with the Enhanced Security Configuration turned on aren't affected, Microsoft said.

Microsoft will determine, based on "customer needs," whether to release a patch during the company's monthly release process or an "out-of-cycle security update," the company said.

Microsoft's next patch release day is November 14.

See more CNET content tagged:
security company, vulnerability, flaw, Microsoft Windows Server 2003, Microsoft Windows Server

Join the conversation

Inside CNET News

1-2 of 12

Scroll Left Scroll Right

The view from up there: An astronauts' Aurora Borealis (video)
NASA video gives those of us with our feet firmly planted on the ground a look at the Northern Lights from the International Space Station.

Cutting Edge
Samsung Galaxy Note (AT&T)
Gallery
Chinese authorities seize iPads from reseller's shelves
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.

iPhone Atlas
Can prof's algorithm reunite Craigslist Missed Connections?
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.

Technically Incorrect
Tips for keeping your browsing private
Video
Consumer electronics spending hits $144B in 2011
People shop more online, are buying tablets and e-readers, and continue to purchase Apple products at an increasing rate, says market researchers.

Digital Media
Ethical manufacturing petition delivered to San Francisco Apple Store
Video
DOJ clears Apple-Microsoft-RIM deal to buy Nortel patents
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.

Politics and Law
Spray-on antenna: Wireless in a can
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.

Crave
Video game Spacewar reborn at 50 (photos)
Gallery
CNET Labscast 17: PlayStation Vita and HP's Beats laptop demoed, plus Valentine's gadget ideas
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.

Labscast
Engineered carbon gives batteries, ultracaps a boost
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.

Cutting Edge