New zero day attack on Internet Explorer

Stan Beer
Tuesday, 07 November 2006 08:23

Your IT - Home IT

A new zero day vulnerability that is currently being exploited in the wild has been discovered in Microsoft software used to build XML applications. Users who visit malicious websites that exploit the vulnerability may find that code is executed on their machines using the same level of privileges that they have.

The vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0, can be exploited on both IE6 and IE7 and Microsoft has acknowledged that attacks are occurring.

"We are aware of limited attacks that are attempting to use the reported vulnerability," Microsoft states in a security advisory on its site.

"In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the advisory goes on to say."

Microsoft advises: "Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the US should contact the national law enforcement agency in their country."

According to security monitoring organization SANS Institute, no patch is yet available. It is not yet known whether Microsoft will have a patch available in time for Patch Tuesday, November 14.