Microsoft to patch zero-day XML flaw

Microsoft on Tuesday plans to issue six security bulletins, including at least one with a fix for a security vulnerability that is actively being used in cyberattacks.

As part of its monthly patching cycle, Microsoft will release a bulletin with a "critical" fix for a security hole in its XML Core Services software, the company said in a note on its Web site Thursday. The vulnerability is a so-called zero-day flaw that's already being exploited for attacks.

The other five security bulletins will deliver updates for Windows, some of which will be rated "critical," Microsoft said. Security companies are tracking several flaws in the operating system and in its Web browser component, Internet Explorer, that have yet to be put right.

Microsoft did not specify how many vulnerabilities in total its security updates will tackle, or say which components of Windows are being repaired. Additionally, the company appears to have no patch ready for a flaw in Visual Studio 2005, which is also already being used in attacks.

Last month, the software maker delivered 10 security bulletins, six of which were deemed "critical," the company's most serious risk rating. Critical vulnerabilities typically can allow a worm to spread or allow a Windows system to be fully compromised with minor or no interaction from the person using it.

Also on Tuesday, Microsoft will release an updated version of its Windows Malicious Software Removal Tool. The program detects and removes common malicious code placed on computers.

The company gave no further information on the upcoming bulletins, other than stating that the fixes may require restarting the computer or server.