Windows users vulnerable to "extremely critical" site coding bug

Posted by Mark Raby

Chicago (IL) - According to advisories published by several security companies, there is a new security flaw that can be exploited through Microsoft's XML Core Services, causing affected users to lose control of their computers in what a security company is calling an "extremely critical" vulnerability.

The bug reportedly is triggered if a user visits a malicious site that causes the computer to run XMLHTTP 4.0 ActiveX Control, and could cause remote seizure and control of a PC, allowing hackers to gain access to someone's private information.

Denmark-based Secunia issued an advisory that warns users of the fatal flaw and said it could lead to "loss of confidential information, disruption of business, or further compromise." The security hole is reported to only affect users running Internet Explorer on specific versions of Windows. Windows 2000, Windows Server 2003, and Windows XP owners with Service Pack 2 are known to be the operating systems in compromise.

Microsoft has confirmed that the exploit exists, saying "We are aware of limited attacks that are attempting to use the reported vulnerability." Microsoft also said if customer need warrants it, the company will release a special security patch outside of the monthly update scheduled for November 14.