Attacks Launched Against Unpatched Windows Bug

The new bug, which is in an ActiveX component of Microsoft XML Core Services 4.0 -- a service that lets developers use scripting languages such as JavaScript and Visual Basic to access XML documents -- is being put to work now by attackers, Microsoft admitted in a security advisory posted late Friday.

"We are aware of limited attacks that are attempting to use the reported vulnerability," said Ben Richeson, a program manager with the Microsoft Security Response Center, in a blog entry Saturday. "We'll continue to monitor the situation and provide updates should the situation change," Richeson added.

A hacker can hijack PCs running Windows 2000, Windows XP SP2, or Windows Server 2003 by enticing Internet Explorer-equipped users to a malicious Web site, where the vulnerability would be exploited.

The bug is probably related to the XML Core Services vulnerability patched last month, said Minoo Hamilton, senior security researcher with patch management vendor nCircle. "This looks like a follow-on to MS06-061. It's almost like every time a new patch comes up, there are enough people looking at the [vulnerable] component or around it that there's one or two other flaws found."

By issuing a new advisory, Microsoft is essentially admitting that the October patch didn't plug every hole. "They're saying that they've found exploit code in the wild," said Hamilton, "and that it's an issue that the patch doesn't deal with. They've found another vulnerability that needs yet another patch."

The October security updates set records for the total of vulnerabilities fixed (26) and the number of critical flaws disclosed (14).

Microsoft doesn't rank the threats spelled out in its advisories, but the company said it would patch the problem either in a regularly scheduled update -- the next is due Nov. 14 -- or in an "out-of-cycle" fix. The latter, where Microsoft breaks with its schedule to push out a patch, is unusual. Only two out-of-cycle patches have been issued so far this year. The most recent was in September, when Microsoft unveiled a fix for the VML vulnerability.

Danish security vulnerability tracker Secunia pegged the bug as "extremely critical." Other security organizations, including US-CERT, the federally funded cyber-response group, and SANS Institute's Internet Storm Center, also issued warnings over the weekend and on Monday. In its alert, however, US-CERT downplayed the problem. "MSXML 4.0 doesn't come with Windows XP by default, but is available as a separate download and is also bundled with many applications," its warning read.

Microsoft's security advisory lists several workarounds users can implement in lieu of a patch; they include the venerable "kill bit" tactic of editing the Windows registry to disable the flawed ActiveX control. Other recommendations included reconfiguring Internet Explorer to disable all ActiveX controls and/or boosting the security settings of the browser.

This is the second advisory Microsoft has posted in the last week concerning a zero-day flaw, one which attackers already are exploiting. The first called out a critical flaw in Visual Studio 2005 last Tuesday. It also was the fifth vulnerability affecting Internet Explorer that's been disclosed since the browser updated to version 7 on Oct. 18.