Microsoft warns of zero-day attack

Microsoft has issued a warning about a zero-day attack, spread by phishing, that is actively exploiting a vulnerability in its XML Core Services that affects all supported versions of Windows and Office 2003 and 2007.

The vulnerability exists in versions 3.0, 4.0, 5.0 and 6.0 of XML Core Services and could allow remote-code execution if a user visits the hackers’ malicious website using Internet Explorer, Microsoft said in its advisory.

The advisory points out that attackers can’t force anyone to visit the site but would have to lure them there via links in e-mail or text messages, the common tactic of phishing campaigns.

The vulnerability could allow an attacker to gain the same rights as a logged-on users — which makes it a potentially bigger worry for administrators than regular users — and then deliver arbitrary code, Microsoft said.

The company said it is working on the problem and could issue a patch in its next regular Patch Tuesday update, or issue a more urgent out-of-band patch.

Meanwhile, Internet Explorers restricted mode, which is the default setting for Windows Server 2003, 2008 and 2008 R2, mitigates the vulnerability, the advisory states.
A Microsoft Fix it solution, available via the advisory, also will block the attack vector that exploits the vulnerability.

The warning was issued on the same day Microsoft released its June security bulletins, which include fixes for 26 security holes, 12 of them in IE.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected