The Last HOPE
-->
         
         
Email us! Subscribe to Liquidmatrix!

Microsoft XML Core Services Vulnerability

Author: Dave Lewis
November 4, 2006 at 10:46 am · Filed under Vulnerability

Just saw this one this morning. This one is a remote execution vulnerability.

“Microsoft is investigating public reports of a vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0 on Windows. We are aware of limited attacks that are attempting to use the reported vulnerability.

Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.”

Make sure your anti-virus is up to date.

Article Link

UPDATE: Here is more information on this vuln from the SecuriTeam site.

UPDATE 2: Here is the US-CERT link for the Vulnerability note.

UPDATE 3: This problem was apparently fixed in MS06-061.

UPDATE 4: The Workaround (at your own risk)

Disable the XMLHTTP 4.0 object in Internet Explorer

The XMLHTTP 4.0 ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{88d969c5-f192-11d4-a65f-0040963251e5}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}]
“Compatibility Flags”=dword:00000400

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the “Securing Your Web Browser” document.

Tags: , , ,

Tag It: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • Technorati
  • SphereIt
  • StumbleUpon
  • Fark
  • YahooMyWeb
  • Furl
  • Spurl
  • Ma.gnolia
  • NewsVine
Related Articles:

  • MSXML 4.0 Exploit In The Wild
  • Microsoft Security Bulletin Advance Notification
  • Microsoft Security Bulletin for August 2007
  • Black Tuesday Returns
  • Vulnerability in Microsoft Word Could Allow Remote Code Execution

    • Leave a Comment