ActiveX – reason of the newest Windows 0-day, again

ActiveX component entitled as XMLHTTP 4.0 ActiveX Control is the vulnerable component of the newest zero-day vulnerability in Microsoft XML Core Services reported recently.

Official Security Advisory from Redmond guys is located at

www.microsoft.com/technet/security/advisory/927892.mspx.

It is worth of mentioning that this code execution vulnerability triggers when a malicious Web site is being visited using Internet Explorer browser, IE6 and IE7.

Techically the problem is that setRequestHeader() can’t handle HTTP requests correctly.

Microsoft states that Microsoft XML Core Services 4.0 installed on Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP0/SP1 include the vulnerable ActiveX.

And active exploitation of this vulnerability has started already.

Update 6th Nov: Microsoft XML Core Services version 4.0 was fixed with MS06-061 in October. This was information disclosure type vulnerability.

Share
  • Pingback: MalwareTeks Blog : XMLHTTP Zero-Day Exploit

  • private

    Have you test that the Microsoft XML Core Services version 4.0 fixed with MS06-061 fix this new vulnerability ?

  • duke

    MSXML4 is not part of Windows XP

  • http://networksecurity.typepad.com/ Juha-Matti

    ‘private’, not personally but this vulnerability has been confirmed on fully patched XP SP2 system including XML Core Services 4.0.

  • duke

    http://secunia.com/advisories/22687/
    Software: Microsoft Core XML Services (MSXML) 4.x

    The flaw is in MSXML4, NOT in Windows. MSXML4 is not installed in a default Windows configuration

  • duke

    http://www.microsoft.com/technet/security/advisory/927892.mspx

    This advisory discusses the following software.

    Related Software
    Microsoft XML Core Services 4.0 [b]when[/b] installed on Windows 2000 Service Pack 4

    Microsoft XML Core Services 4.0 [b]when[/b] installed on Microsoft Windows XP Service Pack 2

    Microsoft XML Core Services 4.0 [b]when[/b] installed on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1