XML Zero-Day Flaw Enables Attacker to Target Internet Explorer, Office

A zero-day flaw in versions of Microsoft’s XML Core Services (MSXML) is being actively exploited in the wild.

The vulnerability, which was discovered by Google, exists when MSXML attempts to access an object in memory that has not been initialized, and affects all supported versions of Windows as well as Microsoft Office 2003 and 2007. In a blog post, Google Security Engineer Andrew Lyons wrote the attacks were being distributed both through malicious Web pages targeting Internet Explorer users as well as through Office documents.

If successfully exploited, the bug can be used to enable an attacker to remotely execute code.

“We discovered this vulnerability€”which is leveraged via an uninitialized variable€”being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30,” he said. “Over the past two weeks, Microsoft has been responsive to the issue and has been working with us.”

“We strongly recommend Internet Explorer and Microsoft Office users immediately install the Fix-it while Microsoft develops and publishes a final fix as part of a future advisory,” Lyons added.

Microsoft released a security advisory about the vulnerability Tuesday, the same day as its monthly Patch Tuesday update. MSXML enables customers who use JScript, Visual Basic Scripting Edition (VBScript) and Microsoft Visual Studio 6.0 to develop XML-based applications. This includes applications that are interoperable with other applications that adhere to the XML 1.0 standard. According to Microsoft, the vulnerability resides in XML Core Services 3.0, 4.0, 5.0 and 6.0.

“The vulnerability could allow remote-code execution if a user views a specially crafted Web page using Internet Explorer,” Microsoft explained in its advisory. “An attacker would have no way to force users to visit such a Website. Instead, an attacker would have to convince users to visit the Website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s Website.”

Angela Gunn of Microsoft’s Trustworthy Computing group blogged that the vulnerability is under review and also recommended users apply the fix included with the advisory. She did not indicate when a patch would be ready.