Trilight Zone

[tricore]

Microsoft on Nov. 14 released a critical cumulative update for its flagship Internet Explorer browser to fix a flaw that was being used in targeted zero-day attacks since early October.The IE update (MS06-067) provides cover for code execution holes in DirectAnimation ActiveX controls that could be exploited if unexpected data is passed to the ActiveX controls.

The vulnerable control, which is included in Daxctle.ocx, was first flagged in Oct. 2006 when Chinese security researchers released exploit code and, shortly after, virus tracking firms discovered that malware authors were exploiting the bug to launch attacks against IE users.

In addition to the DirectAnimation ActiveX issue, the IE update also addresses a memory corruption bug that occurs in the way the browser interprets HTML with certain layout combinations.

An attacker could exploit the vulnerability to launch code execution attacks by rigging a Web site with malicious code. Microsoft said its new IE 7 browser is not vulnerable. Windows Vista users are also not at risk.

The software vendor also pushed out a fix for a high-severity code execution issue affecting XML Core Services, a feature that lets users create applications that interoperate with the XML 1.0 standard. This vulnerability was also the target of zero-day attacks that were first discovered Nov. 3.

The XML Core Services update (MS06-071) provides a patch for the XMLHTTP ActiveX control included in Microsoft XML Core Services. The company said that the control can be exploited to crash IE in a way that could allow code execution.