ActiveX – reason of the newest Windows 0-day, again

ActiveX component entitled as XMLHTTP 4.0 ActiveX Control is the vulnerable component of the newest zero-day vulnerability in Microsoft XML Core Services reported recently.

Official Security Advisory from Redmond guys is located at

It is worth of mentioning that this code execution vulnerability triggers when a malicious Web site is being visited using Internet Explorer browser, IE6 and IE7.

Techically the problem is that setRequestHeader() can’t handle HTTP requests correctly.

Microsoft states that Microsoft XML Core Services 4.0 installed on Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP0/SP1 include the vulnerable ActiveX.

And active exploitation of this vulnerability has started already.

Update 6th Nov: Microsoft XML Core Services version 4.0 was fixed with MS06-061 in October. This was information disclosure type vulnerability.

Print Friendly, PDF & Email

Published by


Security consultant from Finland

Comments are closed.