Microsoft’s warning of a vulnerability in its XML Core Services 3.0, 4.0, 5.0 and 6.0 that allows remote code to be executed if a victim is convinced to visit a malicous Web site using Internet Explorer. The actively exploited security hole affects all supported Windows releases and all supported editions of Office 2003 and 2007.
“An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website,” according to the security advisory.
“The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.”
The flaw was found by Google researchers and reported to Microsoft on May 30. “Over the past two weeks, Microsoft has been responsive to the issue and has been working with us,” Andrew Lyons, a Google security engineer, wrote in a blog post. “These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable.”
In order to launch a Web-based attack, the hacker would need to host a Web site that contains a Web page used to exploit the vulnerability and then convince users to visit the site. Once someone does, the attacker could gain the same user rights as the one that is logged on, making those with admin user rights more at risk than those with few rights on the system.
IE on Windows Server 2003, 2008 and 2008 R2 by default runs in a restricted mode that also could migitate risk.
Both Google and Microsoft recommend a workaround until an update is available either in the next monthly patch cyle or as a special release.