Security researchers have identified an unpatched vulnerability in Windows. The flaw - which affects all supported versions of Windows bar Windows 2003 - resides in a security bug in Microsoft XML Core Services, specifically an unspecified security bug in the XMLHTTP 4.0 ActiveX Control.

The flaw creates a means for hackers to inject malware onto the PCs of surfers running IE who visit a website hosting malicious code that attempts to harness the security bug. Security notification firm Secunia says (http://secunia.com/advisories/22687/) that the vulnerability is being actively exploited by hackers.

Microsoft has posted an advisory (http://www.microsoft.com/technet/security/advisory/927892.mspx) conceding the problem and suggesting possible workarounds, which basically involve disabling the affected ActiveX control, ahead of the arrival of a patch. ®

Related stories

• Acer 'preloads vulns' onto notebooks (10 January 2007)

  http://www.theregister.co.uk/2007/01/10/acer_notebook_vuln/

• IE 'unsafe' for 284 days last year (5 January 2007)

  http://www.theregister.co.uk/2007/01/05/ie_unsafe/

• MS preps six fixes for November Patch Tuesday (10 November 2006)

  http://www.theregister.co.uk/2006/11/10/nov_patch_tuesday-pre-alert/

• Attackers end-run around IE security (8 November 2006)

  http://www.theregister.co.uk/2006/11/08/ie_security_analysis/

• Web viruses drop off despite IE exploit flap (18 October 2006)

  http://www.theregister.co.uk/2006/10/18/malware_trends_scansafe/

• Mozilla flaws more joke than jeopardy (5 October 2006)

  http://www.theregister.co.uk/2006/10/05/mozilla_flaw_joke/

• Unofficial patches defend against further IE flaw (3 October 2006)

  http://www.theregister.co.uk/2006/10/03/zero-day_ie_fix_encore/

• Another day, another zero-day MS exploit (28 September 2006)

  http://www.theregister.co.uk/2006/09/28/0-day_powerpoint_threat/

• Trojan targets 0-day Word vuln (5 September 2006)

  http://www.theregister.co.uk/2006/09/05/ms_office_trojan/