Microsoft closes zero-day XML leak
Microsoft has released a patch for a critical security vulnerability in the XML Core Services with version numbers 3.0 through 6.0. This security hole was actively exploited by hackers to gain access to Gmail accounts.
Google tipped Microsoft on May 30, according to ZDNet, that the vulnerability was being actively exploited to hack into Gmail accounts. The company then also began warning users if it suspected they were being targeted by government hacks that exploited the vulnerability. Microsoft then made the vulnerability public on June 13 and released a workaround that disabled the XML component. Users could resort to this method until a patch was available. While Microsoft normally only releases updates for Internet Explorer every two months, and another update for the browser was made available last month, the vulnerability was so critical that it was rolled out Tuesday as part of “patch tuesday.”
The vulnerability concerns a vulnerability in the Microsoft XML Core Services with version numbers 3.0, 4.0, 5.0 and 6.0, which are standard part of Windows and Office 2003 and 2007. Office 2010 does not contain the vulnerability, Microsoft describes. The vulnerability allowed attackers to remotely execute code on a system without user consent. It was enough to have the user visit a custom website with Internet Explorer, which could then run the code.