Microsoft eyes second zero-day threat in a week

For the second time in less than a week, Microsoft is warning of attacks targeting a zero-day flaw. This time, the target is a security hole within the Windows operating system.

Attackers could cause a denial of service or run malicious code on targeted machines by exploiting a flaw in Microsoft XML Core Services, a component of Windows. The problem is an unspecified error in the XMLHTTP 4.0 ActiveX control, Microsoft said in an advisory on its TechNet Web site.

Zero-day attacks: Zero-day attacks target Microsoft Visual Studio AV upstarts tout need for speed in zero-day fight Microsoft Excel zero-day flaw discovered Zero-day flaws target 'safe' programs New Microsoft Word zero-day exploit discovered

"We are aware of limited attacks that are attempting to use the reported vulnerability," the software giant said.

Microsoft stressed that users would need to visit certain malicious Web sites for an attack to succeed.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the company said. "A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs."

The latest zero-day adds to a growing pile of flaws Microsoft must contend with. Last week, the company warned that attackers were actively exploiting a zero-day flaw in Visual Studio 2005.

Meanwhile, the software giant faces three other security holes. According to a series of advisories posted in the last two weeks:

• The "Execute()" function of the ADODB.Connection ActiveX object in IE contains an unspecified vulnerability that remote, unauthenticated attackers could exploit to launch malicious code or cause the browser to crash.
• Danish vulnerability clearinghouse Secunia has uncovered another flaw in the newly released IE 7. This is the third IE 7 flaw the firm claims to have found in the last 12 days, and attackers could exploit it to spoof the content of legitimate Web sites.
• Organizations using an Internet Connection Sharing (ICS) program are vulnerable to a Windows flaw attackers could exploit to cause a denial of service.

Thursday, Microsoft will release a preliminary advisory outlining which programs are to be patched Tuesday, Nov. 14. Until a patch is released for the Windows flaw, Microsoft suggests IT administrators use the following workarounds:

• Prevent the XMLHTTP 4.0 ActiveX control from running in Internet Explorer.
• Configure Internet Explorer to prompt before running active scripting or disable active scripting in the Internet and local intranet security zone.
• Configure Internet Explorer to prompt before running ActiveX controls or disable ActiveX controls in the Internet and local intranet security zone.
• Set Internet and local intranet security zone settings to "high" to prompt before running ActiveX controls and active scripting in these zones.