Hackers are actively exploiting a critical vulnerability in Microsoft's Windows operating system that allows them to remotely execute malicious code when victims visit a booby-trapped website.
"These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents," Andrew Lyons, a Google security engineer, wrote in a blog post published Tuesday. "Users running Windows XP up to and including Windows 7 are known to be vulnerable."
In their own advisory, Microsoft officials confirmed the active attacks and encouraged customers to apply a temporary fix as soon as possible. The vulnerability exploits an uninitialized variable in XML Core Services, which is installed by default in all supported versions of Windows. Users of Microsoft Office 2003 and 2007 are also susceptible.
Attacks work when a vulnerable system uses Internet Explorer to visit a website that contains XML code that corrupts memory in a way that can execute malicious code. The code has the same privileges of the logged-on user, so accounts that don't include administrative privileges may be less affected.
The warnings came the same day that Microsoft issued seven updates that patch at least 26 vulnerabilities in its software as part of its monthly Patch Tuesday. Lyons said Google researchers alerted Microsoft to the attacks on the XML package two weeks ago and that "Microsoft has been responsive to the issue and has been working with us.