More ActiveX woes

A 0-day, critical vulnerability has been found in Microsoft’s MSXML 4.0 XMLHTTP ActiveX control. No word on if MSXML 6.0 is affected.

According to the CERT advisory #585137:

The XMLHTTP 4.0 ActiveX control contains an unspecified memory corruption vulnerability. When certain methods of the XMLHTTP ActiveX control are called with invalid parameters, process memory is corrupted in an exploitable manner.

Note that this vulnerability is being actively exploited.

CERT has a couple of workarounds but you can find other workarounds on the Microsoft Technet site.

Servers running Windows Server 2003, with or without SP1, are not affected if Enhanced Security Configuration is turned on (default setting). MSXML 4.0 does not come with Windows XP by default. It is available as a download or is bundled with applications.

One surefire way to see if you are affected is to check for the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}

If it doesn’t exist, you don’t have MSXML 4.0 installed.

Links:
CNet story
ISS bulletin

07.Nov.06 Security, Windows

You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

Leave a Reply

Name

Mail (will not be published)

Website