Tuesday, 7 November 2006
Microsoft Investigates XMLHTTP Vulnerability |
| |
|
| |
Microsoft is investigating public reports of a vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0 on Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Customers would need to visit an attacker’s web site to be at risk, the company said.
Microsoft promises to release a security update through the monthly release process or an out-of-cycle security update will be provided, depending on customer needs. Customers are encouraged to keep their anti-virus software up to date, the company said.
Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. According to the company, ways to protect your system from attacks leveraging this flaw include:
- Set the kill bit for the ActiveX control in the registry
- Configure IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone
- Configure IE to prompt before running ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zone
- Set the Internet and Local intranet security zone settings to 'High'
- For Windows Server 2003 users, turn on the Enhanced Security Configuration
|
| |
|
|
| |
|
|
| |
|
|
| |
|
