ActiveX – reason of the newest Windows 0-day, again
ActiveX component entitled as XMLHTTP 4.0 ActiveX Control is the vulnerable component of the newest zero-day vulnerability in Microsoft XML Core Services reported recently.
Official Security Advisory from Redmond guys is located at
It is worth of mentioning that this code execution vulnerability triggers when a malicious Web site is being visited using Internet Explorer browser, IE6 and IE7.
Techically the problem is that setRequestHeader() can’t handle HTTP requests correctly.
Microsoft states that Microsoft XML Core Services 4.0 installed on Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP0/SP1 include the vulnerable ActiveX.
And active exploitation of this vulnerability has started already.
Update 6th Nov: Microsoft XML Core Services version 4.0 was fixed with MS06-061 in October. This was information disclosure type vulnerability.