November 6th, 2006
Microsoft XML parser zero-day vulnerability in the wild
Microsoft is warning of a new critical vulnerability in its XML Core Services 4.0 that can be exploited as an ActiveX control in Internet Explorer (all versions) though it does not affect Windows Vista. While the component isn't installed by Windows by default and the exploit seems to be unreliable, it is still a good idea to take the precautionary measures. Users and IT departments can deploy a registry fix which sets the kill bit for this XML ActiveX control by using a .REG file shown in this advisory.
[Update: I had to remove the .REG text here because I can't get the backslash to show up here. Please copy it from Microsoft's advisory]
This is the second zero-day ActiveX control exploit that surfaced last week. The previous ActiveX control exploit affected a component in Microsoft Visual Studio 2005 but not too many people have that component installed and IE7 has that component disabled by default. Microsoft has taken a defensive stance with Internet Explorer 7 by disabling 90% of the ActiveX controls by default. However, this latest XML parser vulnerability is one of the remaining ActiveX controls enabled by default.
Users can disable ActiveX in Microsoft Internet Explorer permanently or use an alternate browser like Mozilla Firefox or Opera if they want to avoid these types of issues, but certain websites that use ActiveX controls will fail to function.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
