SECURITY

Report: Microsoft XML Exploit Unpatched and in the Wild

Print Version
E-Mail Article
Reprints

By Erika Morphy
TechNewsWorld
11/08/06 7:30 AM PT

IBM's Internet Security Systems has warned that a vulnerability in Microsoft's XML HTTP request-handling can be exploited through Internet Explorer. The flaw is currently being leveraged by spyware producers to install malware on exposed computers.


Get VeriSign Extended Validation (EV) SSL for your site which helps your customers know they are safe.

A vulnerability in Microsoft's (Nasdaq: MSFT) Latest News about Microsoft XML HTTP request handling can be exploited via an ActiveX control through a Web browser -- specifically Internet Explorer -- according to IBM's (NYSE: IBM) Latest News about IBM Internet Security Systems (Nasdaq: ISSX) Latest News about Internet Security Systems, which claims to have originally identified the flaw. The vulnerability, which is currently being leveraged by spyware producers to install malware on exposed computers, is unpatched and active in the wild, said Gunter Ollmann, Director of X-Force for IBM Internet Security Systems.

"The spyware can be accessed through various means, but most local exploitations [are] being done through Internet Explorer," he told TechNewsWorld.

What is happening, Ollmann went on to explain, is that PCs are becoming infected when users visit certain Web sites that have been set up precisely for that purpose. Spam messages that employ social engineering techniques are delivering a steady stream of unsuspecting victims to these sites, he said.

ISS is working with Microsoft to disable the Web pages, he added. He declined to provide the sites' URLs.

Core XML Engines

The vulnerability resides in some of the core XML engines within Microsoft Windows, according to the alert, specifically Microsoft XML Core Services 4.0 when installed on Windows 2000 Service Pack 4, Windows XP Service Pack 2, or Windows Server 2003 -- the latter with or without Service Pack 1.

Conceivably, third-party applications, such as a worm, could make use of the vulnerable request object. However, X-Force said it believes there are such specific requirements for triggering the vulnerable condition that it is most likely exploitable only via a Web browser.

"An attacker may host a maliciously crafted HTML document on a Web site and entice the victim to click on a link, which will load the document in their browser," the ISS states in its alert. "Once the document is loaded, the attacker will be able to execute arbitrary code on the victim's machine with the permissions of the victim user."

Spyware Attacks on the Rise

This is the second instance this month in which a spyware manufacturer has tried to distribute a malicious payload, Ollmann noted. "We are finding that there have been a number of commercial organizations set up recently to distribute this type of exploit material and sell it to spyware producers," he said.

He doesn't know which firm or firms are behind the activity -- he only knows that their malware is "out there in the wild and there is no patch."

Social Networking Toolbox:
Talkback: Be the first to comment on this story.

Print Version E-Mail Article Reprints More by Erika Morphy   RSS

Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]