Microsoft warns of zero-day attack
Microsoft has issued a warning about a zero-day attack, spread by phishing, that is actively exploiting a vulnerability in its XML Core Services that affects all supported versions of Windows and Office 2003 and 2007.
The vulnerability exists in versions 3.0, 4.0, 5.0 and 6.0 of XML Core Services and could allow remote-code execution if a user visits the hackers’ malicious website using Internet Explorer, Microsoft said in its advisory.
The advisory points out that attackers can’t force anyone to visit the site but would have to lure them there via links in e-mail or text messages, the common tactic of phishing campaigns.
The vulnerability could allow an attacker to gain the same rights as a logged-on users — which makes it a potentially bigger worry for administrators than regular users — and then deliver arbitrary code, Microsoft said.
The company said it is working on the problem and could issue a patch in its next regular Patch Tuesday update, or issue a more urgent out-of-band patch.
Meanwhile, Internet Explorers restricted mode, which is the default setting for Windows Server 2003, 2008 and 2008 R2, mitigates the vulnerability, the advisory states.
A Microsoft Fix it solution, available via the advisory, also will block the attack vector that exploits the vulnerability.
The warning was issued on the same day Microsoft released its June security bulletins, which include fixes for 26 security holes, 12 of them in IE.
Kevin McCaney is the executive editor of GCN. Follow him on Twitter: @KevinMcCaney.