Microsoft has released a security advisory with workarounds for a critical zero-day vulnerability affecting Windows users and warned that malicious hackers are already exploiting the flaw in live attacks.
The advisory provides prepatch mitigation for a bug in Microsoft XML Core Services, formerly known as the Microsoft XML Parser, a service that lets users create applications that interoperate with the XML 1.0 standard.
The vulnerability is caused by an unspecified error in the XMLHTTP 4.0 ActiveX Control and is rated “extremely critical” by security alerts aggregator Secunia, in Copenhagen, Denmark.
Affected software includes Windows 2000 (including Service Pack 4), Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1. Microsoft said customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in default configurations, with the Enhanced Security Configuration turned on, are not affected.
According to an alert from IBMs ISS X-Force, hackers are already using the Internet Explorer browser as an attack vector. “These exploits target Internet Explorer through a vulnerable ActiveX control. Successful exploitation of this vulnerability may result in remote code execution,” the Atlanta-based company said.
All supported versions of Internet Explorer are vulnerable, including the newly released IE 7.
The flaw is the result of the core XML engines inability to correctly handle proper arguments passed to one of the methods associated with the XML request object. “This improper handling results in memory corruption and ultimately may result in remote code execution,” ISS X-Force said.
Microsoft confirms the flaw could use IE to trigger code execution attacks and warned that banner advertisements and other methods of distributing Web content could also be dangerous.
The Redmond, Wash., software maker recommends that IE users disable attempts to instantiate the vulnerable ActiveX control by setting the kill bit in the registry. Other workarounds, available from the advisory, include configuring IE to prompt before running Active Scripting.
It is the second major zero-day confirmed by Microsoft during the past week. On Nov. 1, the company issued a warning for an “extremely critical” vulnerability in Microsoft Visual Studio 2005 that could put users at risk of remote code execution attacks.
Exploit code for the Visual Studio 2005 flaw is publicly available. According to Metasploit founder HD Moore, the proof-of-concept exploit has been available in the point-and-click hacking tool since August.
Visual Studio 2005, formerly known as “Whidbey,” is an integrated development environment that offers a suite of tools to help programmers build software, Web sites, Web applications and Web services. It is the latest version of Microsofts developer tools and includes Visual Basic, Visual C++, Visual C# and visual J#.
Microsoft said the vulnerability is caused due to an unspecified error in the WMI Object Broker ActiveX Control (WmiScriptUtils.dll), which is used by the WMI Wizard in Visual Studio to instantiate other controls. An attacker could use the flaw to “take complete control of the affected system.”
The next batch of scheduled patches from Microsoft is due Nov. 14.
