Attackers Exploit Unpatched Windows XML Flaw

Hopefully you’ve applied all of the updates and fixes from Microsoft’s Patch Tuesday by now. But, have you also implemented the workarounds Microsoft published? If not, your system could end up compromised.

While organizations and individuals were busy with the Patch Tuesday security bulletins, Microsoft also released an out-of-band security advisory for a flaw in Microsoft XML Core Services that can allow an attacker to gain control of a vulnerable system from across the Internet. The vulnerability affects all supported versions of Windows, and all supported versions of Office 2003 and Office 2007.

In the security advisory, Microsoft spells out some mitigating factors that may reduce the risk this vulnerability poses for a PC. The flaw can be exploited just by loading a malicious Web page, but there’s no way an attacker can force a user to do so. The attacker has to craft the malicious site, and then convince victims to visit the website somehow in order to compromise their systems.

Most users are conditioned not to click on links in spam email messages, or rogue instant messaging threads from strangers. But, attackers have another trick at their disposal—compromise a legitimate website that victims are already visiting of their own accord.

According to security researchers, that is exactly what is going on now. There’s evidence that a European medical site was hijacked and implanted with malicious code targeting this vulnerability, and there are probably other examples as well.

Microsoft has yet to release a patch for this flaw, and there’s no indication yet that we should expect one any earlier than the July Patch Tuesday a few weeks from now. Thankfully, there are some things you can do now to protect your systems in the meantime.

For starters, make sure your security software is up to date. Because this vulnerability is already known, security vendors are able to detect attempts to exploit it--as long as your security software is current so it’s equipped to do so.

In addition, you can also run the Fix-It tool from Microsoft. The automated tool implements measures to block the attack vector used to exploit this vulnerability. Microsoft also lists additional workarounds, like configuring Internet Explorer to prompt you before running Active Scripting, or simply disabling Active Scripting in the Internet and Local Intranet security zones.

You’re probably smart enough not to click on suspicious or malicious links to get lured to sites that will exploit the Microsoft XML flaw, but there’s no easy way for you to determine whether or not the legitimate websites you’re visiting have been infected or not. Make sure you take steps to guard against these attacks until a patch is available.

Subscribe to the Security Watch Newsletter