A vulnerability was found in Microsoft XML Core Services that could be used by attackers to execute malicious code remotely on the affected system. According to the notifications sent by several security companies, an attacker can create a specifically manipulated HTML page that, when activated by the infected system, would cause memory corruption in the ActiveX XMLHTTP 4.0 control, more specifically at the level of the setRequestHeader function, which would allow the execution of arbitrary code by third parties.
The failure has already been confirmed by Microsoft, which launched a notification stating that the error is already being exploited by attackers, through sites malicious. Currently, the error is present in all versions of Internet Explorer, including version 7. Windows 2000, Windows XP Service Pack 2 and Windows Server 2003 are also part of the list of affected systems.
For the time being there is no fix available for the flaw in question although Microsoft recommends some security measures, among which the activation of the kill bit for the ActiveX control, as well as the IE configuration before using Active Scripting.
The correction of this error is expected to be available in the next patch release, scheduled for next Tuesday, November 14th.
2006-10-20 – Internet Explorer 7 has security flaw in the control anti-phishing
2006-10-11 – Microsoft fixes 26 flaws in the October security bulletin