November 7, 2006
Microsoft Warns of XML Vulnerability in Windows
A Microsoft advisory is warning users about malicious attacks based on a flaw in the XMLHTTP 4.0 ActiveX Control. A successful attack lets someone remotely take control of a machine with the same rights as the logged on user. Someone would have to visit the malicious web site for this to happen. This is possible by clicking on a link in an unsolicited email. Microsoft is investigating the problem and will issue a patch as necessary.
The vulnerabilities affect Windows 2000 with Service Pack 4, Windows XP with Service Pack 2, and to some extent, Windows Server 2003 with or without Service Pack 1 when XML Core Services 4.0 is installed. ActiveX and Active Scripting is disabled by default in the latter OS. News reports indicate that exploits are in the wild.
Microsoft's full advisory is here.
November 7, 2006 | Permalink
TrackBack URL for this entry:
Listed below are links to weblogs that reference Microsoft Warns of XML Vulnerability in Windows: