Microsoft And Google Warn Over Active XML Flaw Exploitation

Tech heavyweights Google and Microsoft are working together to spread the word about a known threat affecting users of Internet Explorer and Office products.

Google spotted the flaw and has been working with Microsoft since 30 May to find ways to protect users, although the vulnerability in the Microsoft XML component has already been actively exploited.

Users could have bad code installed on their systems, if duped into visiting specially-crafted websites on Internet Explorer or opening malicious documents in Office. The flaw affects all Windows systems from XP onwards.

Luring victims in…

“An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website,” Microsoft warned in its advisory.

“The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.”

There is currently no patch, but Microsoft has offered various workarounds, as well as a “Fix it” solution which Google advised users to initiate. IT teams can find Microsoft’s guidance on those fixes here.

The vulnerability is mitigated in Internet Explorer on Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2  if IT has left it running in a restricted mode known as Enhanced Security Configuration. That configuration is turned on by default in those operating systems.

Yesterday was Patch Tuesday, when Microsoft decided to withdraw a bulletin for Office that it announced last week and replace it with a bulletin for Microsoft Lync, both of which were ranked as important. The number of patched vulnerabilities has dropped from 28 to 26.

One of those flaws also affects Internet Explorer and is being actively exploited. Companies are being urged to enforce a patch for that serious security hole, as well as one for a flaw in the Microsoft browser highlighted by vulnerability seller VUPEN at the PWN2OWN contest, held in early March at CanSecWest in Vancouver.

Oracle has also issued a fresh version of Java with 14 fixes. Apple has also synchronised its own release of Java with Oracle’s, following the security nightmare that was Flashback. That Trojan was able to infect over 600,000 Macs because of a flaw in Java, which Oracle did not patch for Mac OS X, despite patching it for other operating systems.

Apple came under fire for not reacting sooner to fix the Java flaws, but the latest development indicates the iPhone maker has pro-actively responded to criticism.

If you think you’re a security guru, try our quiz!