For the second time in less than a week, Microsoft has acknowledged that attackers are exploiting a critical, unpatched flaw in Windows to snatch PCs from their owners. The new bug, which is in an ActiveX component of Microsoft XML Core Services 4.0 -- a service that lets developers use scripting languages such as JavaScript and Visual Basic to access XML documents -- is being put to work now by attackers, Microsoft admitted in a security advisory posted late Friday.
"We are aware of limited attacks that are attempting to use the reported vulnerability," said Ben Richeson, a program manager with the Microsoft Security Response Center, in a blog entry Saturday. "We"ll continue to monitor the situation and provide updates should the situation change," Richeson added. A hacker can hijack PCs running Windows 2000, Windows XP SP2, or Windows Server 2003 by enticing Internet Explorer-equipped users to a malicious Web site, where the vulnerability would be exploited.