Forum latest

New IE vulnerability found
General
Written by Gizmo   
Monday, 06 November 2006 07:52

Internet Security Systems (ISS) have published a bulletin warning about a new XML HTTP Request vulnerability that has been discovered in the wild.  In order to exploit the vulnerability, the attacker would have to direct the victim to a specially crafted web page.  The code on the web page would then use a vulnerable ActiveX control to attack the victim's machine, running arbitrary code with the same permissions as the victim.  ISS claim that the vulnerability lies within core XML handling components within Windows and their inability to handle improperly formatted arguments.  All versions of IE are vulnerable, according to the bulletin.

If the vulnerability actually lies within the MSXML components, then any application utilizing them would potentially be vulnerable.  This would include things like Microsoft SQL server, which supports XML queries.

Discuss in the forums!

 
Don't Click Here Don't Click Here Either