MS Patch Day: IE, XML Zero-Day Flaws Fixed

Microsoft on Nov. 14 released a critical cumulative update for its flagship Internet Explorer browser to fix a flaw that was being used in targeted zero-day attacks since early October.

The IE update (MS06-067) provides cover for code execution holes in DirectAnimation ActiveX controls that could be exploited if unexpected data is passed to the ActiveX controls.

The vulnerable control, which is included in Daxctle.ocx, was first flagged in Oct. 2006 when Chinese security researchers released exploit code and, shortly after, virus tracking firms discovered that malware authors were exploiting the bug to launch attacks against IE users.

/zimages/3/28571.gifIn this latest Microsoft patch, security experts are most nervous about MS06-070, which covers a nasty, wormable flaw in Workstation Service. Get the details here.

In addition to the DirectAnimation ActiveX issue, the IE update also addresses a memory corruption bug that occurs in the way the browser interprets HTML with certain layout combinations.

An attacker could exploit the vulnerability to launch code execution attacks by rigging a Web site with malicious code.

Microsoft said its new IE 7 browser is not vulnerable. Windows Vista users are also not at risk.

The software vendor also pushed out a fix for a high-severity code execution issue affecting XML Core Services, a feature that lets users create applications that interoperate with the XML 1.0 standard.

This vulnerability was also the target of zero-day attacks that were first discovered Nov. 3.

The XML Core Services update (MS06-071) provides a patch for the XMLHTTP ActiveX control included in Microsoft XML Core Services.

The company said that the control can be exploited to crash IE in a way that could allow code execution.

The November patch batch also includes a patch for a serious memory corruption vulnerability in Microsofts Workstation Service Memory.

Successful exploitation of this vulnerability could result in a complete system compromise.

It could be exploited remotely over the Internet to unleash a worm on Windows 2000 and Windows XP systems, Microsoft said in the MS06-070 bulletin.

The Patch Tuesday release also includes:

• MS06-068—Rated “critical,” this bulletin addresses a remote code execution vulnerability in the way Microsoft Agent handles specially crafted .ACF files. An attacker could use a specially rigged Web site to launch remote code execution attacks against Windows 2000, Windows XP and Windows Server 2003 users.
• MS06-069—This “critical” update provides patches for several remote code execution vulnerabilities in Macromedia Flash Player from Adobe. Microsoft warns that an attacker could exploit these flaws with malicious Flash Animation (.SWF) files to launch remote code execution attacks.
• MS06-066—A pair of code execution flaws in the Client Service for NetWare are addressed in this “important” advisory. Affected software includes Windows 2000, Windows XP and Windows Server 2003.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK SecurityWatch blog.