Warning: 0-Day Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability
Tuesday, 07 November 2006 by Michel Roth
A vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a users system. This exploit affects Windows 2000, XP and 2003 Server.

The vulnerability is caused due to an unspecified error in the XMLHTTP 4.0 ActiveX Control.Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer.

Microsoft has recommended various workarounds including setting the kill-bit for the affected ActiveX control, by editing the registry. Check out the Microsoft advisory's workaround section for details.

NOTE: The vulnerability is already being actively exploited by malicious web sites.

Read the Microsoft advisory or the Secunia advisory.

Related Items:

0-Day Microsoft Excel Unspecified Code Execution Vulnerability (19 June 2006)
Internet Explorer "object" Tag Memory Corruption Code Execution (26 April 2006)
0-Day Microsoft Word 2000 Unspecified Code Execution Vulnerability (5 September 2006)
Warning: Microsoft Windows WMF Handling Arbitrary Code Execution - Exploit In the Wild (29 December 2005)
Zero Day Microsoft Word Unspecified Code Execution Vulnerability (20 May 2006)
Citrix ICA Client ActiveX Control Heap Overflow Vulnerability (6 December 2006)
Citrix Presentation Server Client Unspecified Code Execution (2 March 2007)
Microsoft Windows "itss.dll" Heap Corruption Unpatched Vulnerability (10 May 2006)
Firefox IDN URL Domain Name Buffer Overflow (13 September 2005)
Unpatched Internet Explorer Vulnerability, Exploit Released (8 November 2004)
Comments (0)add feed
Show/Hide comment formtoggle
password
 

busy