Microsoft faces second zero-day threat in a week

By Bill Brenner, Senior News Writer 06 Nov 2006 | SearchSecurity.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

Attackers could cause a denial of service or run malicious code on targeted machines by exploiting a flaw in Microsoft XML Core Services, a component of Windows. The problem is an unspecified error in the XMLHTTP 4.0 ActiveX control, Microsoft said in an advisory on its TechNet Web site.

More on Microsoft Microsoft virtualization license plan has users hopeful  Microsoft's Ballmer: Software isn't dead

"We are aware of limited attacks that are attempting to use the reported vulnerability," the software giant said.

Microsoft stressed that users would need to visit certain malicious Web sites for an attack to succeed.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the company said. "A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs."

The latest zero-day adds to a growing pile of flaws Microsoft must contend with. Last week, the company warned that attackers were actively exploiting a zero-day flaw in Visual Studio 2005.

Meanwhile, the software giant faces three other security holes. According to a series of advisories posted in the last two weeks:

• The "Execute()" function of the ADODB.Connection ActiveX object in IE contains an unspecified vulnerability that remote, unauthenticated attackers could exploit to launch malicious code or cause the browser to crash.
• Danish vulnerability clearinghouse Secunia has uncovered another flaw in the newly released IE 7. This is the third IE 7 flaw the firm claims to have found in the last 12 days, and attackers could exploit it to spoof the content of legitimate Web sites.
• Organizations using an Internet Connection Sharing (ICS) program are vulnerable to a Windows flaw attackers could exploit to cause a denial of service.

Thursday, Microsoft will release a preliminary advisory outlining which programs are to be patched Tuesday, Nov. 14. Until a patch is released for the Windows flaw, Microsoft suggests IT administrators use the following workarounds:

• Prevent the XMLHTTP 4.0 ActiveX control from running in Internet Explorer.
• Configure Internet Explorer to prompt before running active scripting or disable active scripting in the Internet and local intranet security zone.
• Configure Internet Explorer to prompt before running ActiveX controls or disable ActiveX controls in the Internet and local intranet security zone.
• Set Internet and local intranet security zone settings to "high" to prompt before running ActiveX controls and active scripting in these zones.

This article originally appeared on SearchSecurity.com.

Tags: Information security management for the midmarket,  Risk management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary