November 6, 2006 4:25 PM PST

Attackers dig into zero-day flaw

Related Stories

Attack code out for Visual Studio flaw

November 1, 2006
An "extremely critical" vulnerability has been discovered in Microsoft's XML Core Services, according to several security companies.

The vulnerability, which affects only systems running Internet Explorer, is caused by an unspecified error in the XMLHTTP 4.0 ActiveX Control and could be used to seize control of an affected system, according to an advisory from Secunia, a security company based in Denmark.

IBM-owned ISS X-Force detailed on its site the kind of damage that could be caused by the vulnerability.

"This could lead to loss of confidential information, disruption of business, or further compromise," according to the security company.

For the vulnerability to be exploited, a user would have to visit a malicious Web site, Secunia said.

Microsoft acknowledged that the bug is already being exploited, in a note posted to the company's site.

"We are aware of limited attacks that are attempting to use the reported vulnerability," Microsoft said.

Some of the software that may be affected includes Windows 2000, Windows XP Service Pack 2 and Windows Server 2003.

People running Windows Server 2003 and 2003 Service Pack 1 in the default configuration with the Enhanced Security Configuration turned on aren't affected, Microsoft said.

Microsoft will determine, based on "customer needs," whether to release a patch during the company's monthly release process or an "out-of-cycle security update," the company said.

Microsoft's next patch release day is November 14.

See more CNET content tagged:
security company, vulnerability, flaw, Microsoft Windows Server 2003, Microsoft Windows Server


Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.