Security researchers have identified an unpatched vulnerability in Windows. The flaw - which affects all supported versions of Windows bar Windows 2003 - resides in a security bug in Microsoft XML Core Services, specifically an unspecified security bug in the XMLHTTP 4.0 ActiveX Control.

The flaw creates a means for hackers to inject malware onto the PCs of surfers running IE who visit a website hosting malicious code that attempts to harness the security bug. Security notification firm Secunia says that the vulnerability is being actively exploited by hackers.

Microsoft has posted an advisory conceding the problem and suggesting possible workarounds, which basically involve disabling the affected ActiveX control, ahead of the arrival of a patch. ®

Related stories

• Acer 'preloads vulns' onto notebooks (10 January 2007)

  https://www.theregister.com/2007/01/10/acer_notebook_vuln/

• IE 'unsafe' for 284 days last year (5 January 2007)

  https://www.theregister.com/2007/01/05/ie_unsafe/

• MS preps six fixes for November Patch Tuesday (10 November 2006)

  https://www.theregister.com/2006/11/10/nov_patch_tuesday-pre-alert/

• Attackers end-run around IE security (8 November 2006)

  https://www.theregister.com/2006/11/08/ie_security_analysis/

• Web viruses drop off despite IE exploit flap (18 October 2006)

  https://www.theregister.com/2006/10/18/malware_trends_scansafe/

• Mozilla flaws more joke than jeopardy (5 October 2006)

  https://www.theregister.com/2006/10/05/mozilla_flaw_joke/

• Unofficial patches defend against further IE flaw (3 October 2006)

  https://www.theregister.com/2006/10/03/zero-day_ie_fix_encore/

• Another day, another zero-day MS exploit (28 September 2006)

  https://www.theregister.com/2006/09/28/0-day_powerpoint_threat/

• Trojan targets 0-day Word vuln (5 September 2006)

  https://www.theregister.com/2006/09/05/ms_office_trojan/