22 June 2012 | 1,558 views

Windows XML Core Services Exploit Attacked In The Wild – CVE-2012-1889

Prevent Network Security Leaks with Acunetix

Oh look, another serious flaw in Windows – and this one is really bad because it can be exploited directly in Internet Explorer.

And even worse than that, this vulnerability is actually being exploited in the wild by cybercriminals – this shows it’s no longer a theoretical attack. Plus of course the fact, it’s actually unpatched – so even if you’ve applied all the available Windows updates – it’s still exploitable.

An unpatched Windows vulnerability considered a critical threat by security experts is being exploited by cybercriminals.

Microsoft disclosed the flaw in XML Core Services (MSXML) 3.0, 4.0 and 6.0 June 12 during its monthly release of patches. The security advisory, which was separate from the patch release, offered a workaround for vulnerability CVE-2012-1889, but no fix. The vulnerability is easily exploited through Internet Explorer.

Security vendor Sophos reported Tuesday that it discovered over the weekend a web page crafted to take advantage of the flaw. The page was on the site of an unidentified European medical company, which did not know its website had been hijacked, Sophos said.

Cybercriminals often hide malware on legitimate websites for so-called drive-by installs. To lure people to the compromised site, hackers typically use specially crafted email to entice recipients to click on a link to the infected page.

Marcus Carey, a security researcher at Rapid7, said his company was sure cybercriminals everywhere were exploiting the widely known vulnerability. “That vulnerability is definitely being exploited in the wild,” he said Wednesday. Unpatched software flaws that are disclosed publicly become priority No. 1 for cyber-criminals, who know that companies and people are slow to install patches, and even slower to apply workarounds.

This is a serious issue, even when it gets patched it’ll still be a serious issue as people and companies tend to be slow in applying patches and quite often people turn off Windows Update entirely because they find it annoying and quite often the updates cause more problems than they solve (Black screen of death etc).

Plus the fact that it’s easily exploitable in the browser, this is not a complex multi-layered attack or something that needs network exposure to work.

A lot of anti-virus software vendors have issued updates that detect this exploit and will help mitigate against the threat until a proper patch is issued by Microsoft.

The latest vulnerability is particularly serious because it can be easily exploited. “The only thing you have to do is visit a website that’s been compromised, and you’re going to compromise your system,” Carey said. “Anyone running Internet Explorer should be terrified unless they apply the [Microsoft] fix-it.”

MSXML is a set of services used in building Windows-native XML-based applications. The latest flaw affects all releases of Windows and Office 2003 and 2007. A successful attacker could use the vulnerability to gain full user rights to a PC, Microsoft said.

Until a patch is released, the Microsoft workaround is the only way to stymie hackers. Many security vendors have updated their products to detect malicious code that tries to exploit the vulnerability. “Although security software can protect against this vulnerability, let’s hope that Microsoft can release a proper patch sooner rather than later,” Paul Baccas, senior threat researcher at Sophos, said in the company’s blog.

Google reported the vulnerability to Microsoft on May 30 and worked with the software maker.

The vulnerability notation for this is: CVE-2012-1889 – if you want to keep tabs what’s going on with it.

The Microsoft advisory for this is here: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Source: Network World



Recent in Exploits/Vulnerabilities:
- OpenVPN Vulnerable To Shellshock Exploit
- Everything You NEED To Know About Shellshock Bug In BASH
- drozer – The Leading Security Testing Framework For Android

Related Posts:
- Microsoft Delivers 6 Out Of Band High Priority Security Updates
- Linux Kernel 2.6.x PRCTL Core Dump Handling – Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
- Microsoft Patches Critical Security Vulnerabilities In Windows, Office, IE, Exchange & SQL Server

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 227,757 views
- AJAX: Is your application secure enough? - 119,139 views
- eEye Launches 0-Day Exploit Tracker - 85,068 views

Advertise on Darknet

One Response to “Windows XML Core Services Exploit Attacked In The Wild – CVE-2012-1889”

  1. Johan 3 July 2012 at 9:35 pm Permalink

    Yes, it’s a serious problem, given that it’s now part of an exploit kit. That said, there is a fix it solution that you could have linked to at http://go.microsoft.com/?linkid=9811924 that disables the attack vector if you were interested in doing your readers a service.

    With regard to Windows Update: as someone with who does this for a living and have 25+ years of experience of programming, trust me when I tell you that it is incomparably superior to any other update service in the history of the universe. Yes, it’s possible to confuse it if you try really, really, really hard, but it routinely and with extraordinarily few exceptions successfully updates billions of computers that look nothing alike. Finding excuses for not applying updates is as insightful as closing your eyes before crossing the street.