Attackers Exploit Unpatched Windows XML Flaw
http://www.pcworld.com/article/258177/attackers_exploit_unpatched_windows_xml_flaw.html
Hopefully youve applied all of the updates and fixes from Microsofts Patch Tuesday by now. But, have you also implemented the workarounds Microsoft published? If not, your system could end up compromised.
While organizations and individuals were busy with the Patch Tuesday security bulletins, Microsoft also released an out-of-band security advisory for a flaw in Microsoft XML Core Services that can allow an attacker to gain control of a vulnerable system from across the Internet. The vulnerability affects all supported versions of Windows, and all supported versions of Office 2003 and Office 2007.
In the security advisory, Microsoft spells out some mitigating factors that may reduce the risk this vulnerability poses for a PC. The flaw can be exploited just by loading a malicious Web page, but theres no way an attacker can force a user to do so. The attacker has to craft the malicious site, and then convince victims to visit the website somehow in order to compromise their systems.
Most users are conditioned not to click on links in spam email messages, or rogue instant messaging threads from strangers. But, attackers have another trick at their disposalcompromise a legitimate website that victims are already visiting of their own accord.