A remote code execution vulnerability has been confirmed in Microsoft XML Core Services XMLHTTP ActiveX Control. According to a report by FrSIRT

This flaw is due to a memory corruption error in the XMLHTTP ActiveX Control when processing specially crafted arguments passed to a “setRequestHeader()” method, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by tricking a user into visiting a malicious Web page.

Microsoft has already released a security advisory for this and as of the moment is still investigating public reports.

Microsoft has also posted workarounds in their advisory in order to protect your systems while a patch is still unavailable.

We will update this blog as more information about the vulnerability is acquired.

Update (Jhoevine Capicio, Tue, 07 Nov 2006 03:28:16 AM)

Sunblet Blog has confirmed that this exploit is now being used in the wild.