Microsoft said on Tuesday that it is aware of active attacks against a critical XML vulnerability in Windows. The vulnerability, affecting all supported versions of Windows and Office 2003 / 2007, allows hackers to remotely execute code if a user visits a malicious site using Internet Explorer. Google's Security Team discovered the flaw in Microsoft's XML component and reported it to the company on May 30th.
"Microsoft has been responsive to the issue and has been working with us," says Google's Andrew Lyons, explaining that the attacks use malicious web pages and Office documents. Microsoft says it is currently investigating the vulnerability and may issue an out-of-cycle security update if required. For now, the company has issued a Fix It workaround solution intended to block the attack vector for the vulnerability.