FixIt: Microsoft XML Core Services Uninitialised Object Vulnerability

[ky331]

The following was copied/pasted from http://secunia.com/advisories/49456 :

Description

A[n extremely critical] vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error when attempting to access an object in memory that has not been initialised.

Successful exploitation allows execution of arbitrary code by e.g. tricking a user into viewing a malicious web page in Internet Explorer.

NOTE: The vulnerability is reportedly being actively exploited.

Provided and/or discovered by
Reported as a 0-day.

=========

This vulnerability is UNpatched!   But Microsoft has acknowledged it:

"Upon completion of our investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs".

for technical details, see   http://technet.microsoft.com/en-us/security/advisory/2719615

for a "temporary work-around" ("fix it"), see http://support.microsoft.com/kb/2719615

Microsoft Fix it 50897 enables the [temporary] fix

Also be sure to download and save Microsoft Fix it 50898 , which UNDOES the temporary fix   [This should be run when Microsoft eventually releases the "permanent"/official fix for this issue].

[Hoov]

Thanks for the heads up!

[Bugbatter]

'State-sponsored attackers' using IE zero-day to hijack GMail accounts

Microsoft’s advisory speaks of “active attacks” and follows a separate note from Google that references the IE flaw “being actively exploited in the wild for targeted attacks.”
https://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462