Alert over "extremely critical" XML bug

An "extremely critical" vulnerability has been discovered in Microsoft's XML Core Services, according to several security companies.

The vulnerability, which affects only systems running Internet Explorer, is caused by an unspecified error in the XMLHTTP 4.0 ActiveX Control and could be used to seize control of an affected system, according to an advisory from Secunia.

IBM-owned ISS X-Force detailed on its site the kind of damage that could be caused by the vulnerability. According to the security company: "This could lead to loss of confidential information, disruption of business, or further compromise."

For the vulnerability to be exploited, a user would have to visit a malicious website, Secunia said.

Microsoft acknowledged the bug is already being exploited, in a note posted on the company's site. "We are aware of limited attacks that are attempting to use the reported vulnerability," it said.

Got two seconds?

Make your voice heard - take our latest poll.

Some of the software that may be affected includes Windows 2000, Windows XP Service Pack 2 and Windows Server 2003.

People running Windows Server 2003 and 2003 Service Pack 1 in the default configuration with the Enhanced Security Configuration turned on aren't affected, Microsoft said.

The software behemoth said it will determine, based on "customer needs", whether to release a patch during the company's monthly release process or an "out-of-cycle security update".

Microsoft's next patch release day is 14 November.

Greg Sandoval writes for CNET News.com