Microsoft to patch critical zero-day flaws in Windows

The software giant posted advance notification of the upcoming fixes on its TechNet site Thursday. The programs will be patched Tuesday, Nov. 14.

Microsoft is addressing a zero-day flaw found in XML Core Services, a component of Windows. The problem is an unspecified error in the XMLHTTP 4.0 ActiveX control, Microsoft said in an advisory last week.

Microsoft attacks: Microsoft eyes second zero-day threat in a week Zero-day attacks target Microsoft Visual Studio How to deploy Microsoft patches without Active Directory or SMS Step-by-Step Guide: How to deploy a successful patch Patch deployment timeline

If exploited, an attacker could cause a denial of service or run malicious code on targeted machines. A user would have to visit a malicious Web site in order for the attack to succeed, Microsoft said.

It is expect that Microsoft will also address a zero-day flaw in Visual Studio 2005, which was announced Nov. 1. Attackers could exploit a flaw that is in an ActiveX control, which is part of Visual Studio. Danish vulnerability clearinghouse Secunia rated the flaw "extremely critical." Until Microsoft releases the fix, a set of workarounds have been announced for IT administrators.

Microsoft is also expected to patch two new flaws in an ActiveX object in Internet Explorer (IE) and a third flaw discovered in the new IE 7.

In addition, two non-security high priority updates will be released on Microsoft Update and Windows Server Update Services. There are no non-security high priority updates for Windows or Windows Update and Software Update Services, Microsoft said.

In addition to the patches, Microsoft will release an updated version of its Malicious Software Removal Tool, as has been its monthly practice. It will also host a webcast Wednesday to answer questions IT administrators may have.

Microsoft issued 10 patches in its security update last month. The vendor addressed 26 different vulnerabilities with the patches.