Follow:

Vulnerability:Win/MSXML.XMLHTTP.RCE!CVE-2006-5745

Severity rating
Critical

Class/Type
Vulnerability

Discovered date
2006-11-14T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution.



Impact

An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.



Technical details (analysis)

An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page or clicked a link in an e-mail message. This component has a function that can be invoked with particular parameters that results in memory corruption leading to remote code execution.



Affected software

Microsoft XML Core Services 4.0 when installed on Windows (all versions)
Microsoft XML Core Services 6.0 when installed on Windows (all versions)



Non-affected software

Microsoft XML Core Services 3.0
Microsoft XML Core Services 5.0



References




Solutions




NIS signature

Name: Vulnerability:Win/MSXML.XMLHTTP.RCE!CVE-2006-5745
Release Date: 2006-11-14T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

Prevent the XMLHTTP 4.0 and XMLHTTP 6.0 ActiveX Controls from running in Internet Explorer.