In such situations, we offer guidance and workarounds in a Security Advisory, in order to protect customers as fully as possibly while we prepare the necessary security update. At the same time, we know this vulnerability is actively exploited in the wild for targeted attacks. We consider these, together with disabling MSXML ActiveX controls, to be too disruptive to the Internet Explorer browsing experience to be considered practical for wide adoption.
Restrict Web sites to only your trusted Web sites. Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls and Active Scripting in these zones. The vulnerability can be triggered only through the use of Active Scripting, so the following standard workarounds still apply: In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted web page. This class of vulnerability is exploitable by preparing both stack and heap memory with attacker-controlled data before the invalid pointer dereference. The issue is triggered when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. We want to share more details about the issue and explain the additional workarounds available to help you protect your computers.Ī vulnerability exists in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that could be exploited if a user views a specially crafted webpage using Internet Explorer. 
Yesterday, Microsoft has released Security Advisory 2719615, associated to a vulnerability in Microsoft XML Core Services.
0 kommentar(er)
