Microsoft released a security advisory for a zero-day bug in its XML Core Services that's being exploited in the wild by attackers.
A zero-day flaw in versions of
Microsoft's XML Core Services (MSXML) is being actively exploited in the
The vulnerability, which was
discovered by Google, exists when MSXML attempts to access an object in
memory that has not been initialized, and affects all supported versions of
Windows as well as Microsoft Office 2003 and 2007. In a blog post
, Google Security Engineer Andrew
Lyons wrote the attacks were being distributed both through malicious Web pages
targeting Internet Explorer users as well as through Office documents.
If successfully exploited, the bug
can be used to enable an attacker to remotely execute code.
"We discovered this
vulnerabilitywhich is leveraged via an uninitialized variablebeing actively
exploited in the wild for targeted attacks, and we reported it to Microsoft on
May 30," he said. "Over the past two weeks, Microsoft has been
responsive to the issue and has been working with us."
"We strongly recommend Internet
Explorer and Microsoft Office users immediately install the Fix-it while
Microsoft develops and publishes a final fix as part of a future
advisory," Lyons added.
Microsoft released a security
advisory about the vulnerability Tuesday, the same day as its monthly Patch
Tuesday update. MSXML enables customers who use JScript, Visual Basic
Scripting Edition (VBScript) and Microsoft Visual Studio 6.0 to develop XML-based
applications. This includes applications that are interoperable with other
applications that adhere to the XML 1.0 standard. According to Microsoft, the
vulnerability resides in XML Core Services 3.0, 4.0, 5.0 and 6.0.
"The vulnerability could allow
remote-code execution if a user views a specially crafted Web page using
Internet Explorer," Microsoft explained in its advisory. "An attacker
would have no way to force users to visit such a Website. Instead, an attacker
would have to convince users to visit the Website, typically by getting them to
click a link in an email message or Instant Messenger message that takes them
to the attacker's Website."
Angela Gunn of Microsoft's
Trustworthy Computing group blogged that the vulnerability is under review and
also recommended users apply the fix included with the advisory. She did
not indicate when a patch would be ready.