XML Zero-Day Flaw Enables Attacker to Target Internet Explorer, Office - Security - News & Reviews - eWeek.com | eWeek

XML Zero-Day Flaw Enables Attacker to Target Internet Explorer, Office

Verfasst von
Brian Prince
Brian Prince
Jun 13, 2012
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

A zero-day flaw in versions of Microsoft’s XML Core Services (MSXML) is being actively exploited in the wild.

The vulnerability, which was discovered by Google, exists when MSXML attempts to access an object in memory that has not been initialized, and affects all supported versions of Windows as well as Microsoft Office 2003 and 2007. In a blog post, Google Security Engineer Andrew Lyons wrote the attacks were being distributed both through malicious Web pages targeting Internet Explorer users as well as through Office documents.

If successfully exploited, the bug can be used to enable an attacker to remotely execute code.

“We discovered this vulnerability€”which is leveraged via an uninitialized variable€”being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30,” he said. “Over the past two weeks, Microsoft has been responsive to the issue and has been working with us.”

“We strongly recommend Internet Explorer and Microsoft Office users immediately install the Fix-it while Microsoft develops and publishes a final fix as part of a future advisory,” Lyons added.

Microsoft released a security advisory about the vulnerability Tuesday, the same day as its monthly Patch Tuesday update. MSXML enables customers who use JScript, Visual Basic Scripting Edition (VBScript) and Microsoft Visual Studio 6.0 to develop XML-based applications. This includes applications that are interoperable with other applications that adhere to the XML 1.0 standard. According to Microsoft, the vulnerability resides in XML Core Services 3.0, 4.0, 5.0 and 6.0.

“The vulnerability could allow remote-code execution if a user views a specially crafted Web page using Internet Explorer,” Microsoft explained in its advisory. “An attacker would have no way to force users to visit such a Website. Instead, an attacker would have to convince users to visit the Website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s Website.”

Angela Gunn of Microsoft’s Trustworthy Computing group blogged that the vulnerability is under review and also recommended users apply the fix included with the advisory. She did not indicate when a patch would be ready.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.