Microsoft is investigating reports of a vulnerability in a Windows ActiveX control that could allow an attacker to remotely take control of a computer. One security company rated the vulnerability critical, while Microsoft said it allowed only limited attacks.
The vulnerability, which is not patched yet, affects certain versions of Windows running Microsoft XML Core Services 4.0, a set of tools that allows programmers to use scripting languages to access XML documents. The affected versions are Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1.
The SANS Institute classified the flaw as a zero-day vulnerability, meaning the problem is public but not patched. The French Security Incident Response Team called it "critical”. Microsoft issues patches for its software on the second Tuesday on the month. The speed at which a patch is issued depends on the risk of the vulnerability, and the company has issues patches out of cycle for widely-exploited vulnerabilities.
View: Full Article @ PC Advisor
The vulnerability, which is not patched yet, affects certain versions of Windows running Microsoft XML Core Services 4.0, a set of tools that allows programmers to use scripting languages to access XML documents. The affected versions are Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1.
The SANS Institute classified the flaw as a zero-day vulnerability, meaning the problem is public but not patched. The French Security Incident Response Team called it "critical”. Microsoft issues patches for its software on the second Tuesday on the month. The speed at which a patch is issued depends on the risk of the vulnerability, and the company has issues patches out of cycle for widely-exploited vulnerabilities.
View: Full Article @ PC Advisor
Last edited by franzon on 06 Nov 2006 - 19:18
IE7 "ActiveX Opt-in" through which all ActiveX controls not flagged for use in the Internet Zone are disabled, preventing malicious sites from misusing these controls.
Another reason to switch to IE7
Look at end-user machines with ZoneAlarm installed on them, do you know how many of these boxes I have seen loaded with spyware which was all Allowed through the firewall, manually, by the user?
Adding prompts is just MS's way of saying they fixed the bug without actually fixing the underlying problem, and blaming the user for the issue.
Their whole UAC thing is just more of the same, I can't think of one end-user who knows which system-level components and DLLs and EXEs should be allowed what permissions on their machine -- all they know is they clicked on ABC, they want ABC to run, and they know to make it run and work they will have to answer YES to everything after clicking on it.
This is also true for any Firefox extensions.
In IE7 you have more protection because you can download and install only digital signed activex (you can't download unsigned activex by default). Firefox hasn't digital signed extensions, so protection in Firefox is weak.
Last edited by franzon on 07 Nov 2006 - 09:39
MSXML4 hasn't ever shipped in the operating system; almost all Windows's users haven't it. The flaw is in MSXML4 and NOT in Windows
Last edited by franzon on 06 Nov 2006 - 19:20
Any information how I can tell what version(s) are installed or used on a Windows PC? In my system32 folder, I see .dlls for msxml, msxml2, msxml3 and msxml4. It seems that MS Office has msxml5 in the common filesmicrosoft shared folder.
From this, it seems that MSXML4 might very well be installed on this Win2k system. And, according to Microsoft,
• Microsoft Windows XP
• Microsoft Internet Explorer 6.0
• Microsoft SQL Server 2000
http://blogs.msdn.com/xmlteam/archive/2006...t-explorer.aspx
"MSXML4 was a predecessor to MSXML6 but hasn't ever shipped in the operating system"
look also here:
http://support.microsoft.com/kb/269238
MSXML versions that are included with Microsoft Internet Explorer
IE 6.0 SP1 ----> MSXML 3.0 SP3 (8.30.9926.0)
Secunia says that affected software is MSXML4 and it doesn't say Windows
Software: Microsoft Core XML Services (MSXML) 4.x
http://secunia.com/advisories/22687/
Microsoft advisory says "flaw in MSXML" and NOT flaw in Windows ("flaw in MSXML4 when installed"
http://www.microsoft.com/technet/security/...ory/927892.mspx
Microsoft XML Core Services 4.0 when installed on Windows 2000 Service Pack 4
Microsoft XML Core Services 4.0 when installed on Microsoft Windows XP Service Pack 2
Microsoft XML Core Services 4.0 when installed on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Last edited by franzon on 07 Nov 2006 - 09:25
does anyone know if this exploit can only be used by someone specifically targetting you individually and luring you to their website (like a lot of exploits)
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.