Vulnerability in Microsoft XML Control

The latest twist on a redirection vulnerability believed first spotted in one of the controls in Microsoft XML Core Services in December 2001, was uncovered by Microsoft Security over the weekend, and reported to US-CERT.

The Homeland Security bureau responded on Sunday by posting an advisory stating it has seen evidence of the vulnerability being actively exploited. Microsoft has also issued a separate advisory.

Though the problem is not officially in Windows itself, it lies with one of the many accessory features that Microsoft makes available for free download, especially to Web developers. This fact alone helps reduce the threat of widespread exploitation, though among those systems that are vulnerable, security services firms such as Secunia are rating the threat “extremely critical.”

The problem affects a COM control called XMLHTTP that enables a script to request and receive XML data using HTTP protocol, from any site that produces XML data. With Internet Explorer 6 architecture, the browser was designed to expose the control, making it accessible through embedded scripting such as JavaScript and the now lesser-used VBScript.

The control was designed to be an all-purpose implementation of a scriptable XML object that could be easily grafted into Web functionality. The trouble, as Microsoft realized as much as five years ago, was that the control was virtually omnipotent, in that security measures designed to protect the browser couldn’t touch XMLHTTP, rendering it immune to provisions such as zoning.

Since that time, the company has issued a Service Pack 2 for XML Core Services, as well as multiple subsequent patches, including one just three weeks ago. But as it appears now, malicious users are simply uncovering new ways to get around the bandaging of the problem.

The XMLHTTP patch issued three weeks ago supposedly fixes a problem where the server receiving the HTTP request from the control can redirect the call to a different page, without the control properly re-interpreting the redirection. The resulting deficiency can lead to a malicious page executing code on the server remotely without access restrictions, as though it were using an administrator account.

There’s no word this morning as to whether the new vulnerability is specifically related to the one that was believed to have been patched, though since even the newly-patched exploit roughly fits the profile of nearly all the XMLHTTP exploits discovered before, its similarity is probably likely.

Microsoft has advised that patched editions of Windows Server 2003, including SP1, are immune to this problem by virtue of a new feature there called Enhanced Security Configuration (the advisory failed to mention WS2K3 R2, although this feature is prominent there as well).

Something else Microsoft may have failed to mention that could turn out in its favor this time around, is that Internet Explorer 7.0 may conceivably provide its own solution to this exploit. In IE7, the XMLHTTP functionality is employed natively, which means it doesn’t use the separate ActiveX (COM) control. While on the surface, this might seem scary, this new architecture places XMLHTTP calls under the Web browser’s purview, rendering them subject to the browser’s security provisions.