Microsoft tackles second zero-day threat in a week

By Bill Brenner, Senior News Writer 06 Nov 2006 | SearchSecurity.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

Attackers could cause a denial of service or run malicious code on targeted machines by exploiting a flaw in Microsoft XML Core Services, a component of Windows. The problem is an unspecified error in the XMLHTTP 4.0 ActiveX control, Microsoft said in an advisory on its TechNet Web site.

More on Microsoft Microsoft warns of new IE threat  Microsoft releases 13 security patches

"We are aware of limited attacks that are attempting to use the reported vulnerability," the software giant said.

Microsoft stressed that users would need to visit certain malicious Web sites for an attack to succeed.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the company said. "A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs."

The latest zero-day adds to a growing pile of flaws Microsoft must contend with. Last week, the company warned that attackers were actively exploiting a zero-day flaw in Visual Studio 2005.

Meanwhile, the software giant faces three other security holes. According to a series of advisories posted in the last two weeks:

• The "Execute()" function of the ADODB.Connection ActiveX object in IE contains an unspecified vulnerability that remote, unauthenticated attackers could exploit to launch malicious code or cause the browser to crash.
• Danish vulnerability clearinghouse Secunia has uncovered another flaw in the newly released IE 7. This is the third IE 7 flaw the firm claims to have found in the last 12 days, and attackers could exploit it to spoof the content of legitimate Web sites.
• Organizations using an Internet Connection Sharing (ICS) program are vulnerable to a Windows flaw attackers could exploit to cause a denial of service.

Thursday, Microsoft will release a preliminary advisory outlining which programs are to be patched Tuesday, Nov. 14. Until a patch is released for the Windows flaw, Microsoft suggests IT administrators use the following workarounds:

• Prevent the XMLHTTP 4.0 ActiveX control from running in Internet Explorer.
• Configure Internet Explorer to prompt before running active scripting or disable active scripting in the Internet and local intranet security zone.
• Configure Internet Explorer to prompt before running ActiveX controls or disable ActiveX controls in the Internet and local intranet security zone.
• Set Internet and local intranet security zone settings to "high" to prompt before running ActiveX controls and active scripting in these zones.

This article originally appeared on SearchSecurity.com.

Tags: Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Mobile data protection options for enterprise CIOs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary