Windows XML Core Services Exploit Attacked In The Wild – CVE-2012-1889

Keep on Guard!


Oh look, another serious flaw in Windows – and this one is really bad because it can be exploited directly in Internet Explorer.

And even worse than that, this vulnerability is actually being exploited in the wild by cybercriminals – this shows it’s no longer a theoretical attack. Plus of course the fact, it’s actually unpatched – so even if you’ve applied all the available Windows updates – it’s still exploitable.

An unpatched Windows vulnerability considered a critical threat by security experts is being exploited by cybercriminals.

Microsoft disclosed the flaw in XML Core Services (MSXML) 3.0, 4.0 and 6.0 June 12 during its monthly release of patches. The security advisory, which was separate from the patch release, offered a workaround for vulnerability CVE-2012-1889, but no fix. The vulnerability is easily exploited through Internet Explorer.

Security vendor Sophos reported Tuesday that it discovered over the weekend a web page crafted to take advantage of the flaw. The page was on the site of an unidentified European medical company, which did not know its website had been hijacked, Sophos said.

Cybercriminals often hide malware on legitimate websites for so-called drive-by installs. To lure people to the compromised site, hackers typically use specially crafted email to entice recipients to click on a link to the infected page.

Marcus Carey, a security researcher at Rapid7, said his company was sure cybercriminals everywhere were exploiting the widely known vulnerability. “That vulnerability is definitely being exploited in the wild,” he said Wednesday. Unpatched software flaws that are disclosed publicly become priority No. 1 for cyber-criminals, who know that companies and people are slow to install patches, and even slower to apply workarounds.

This is a serious issue, even when it gets patched it’ll still be a serious issue as people and companies tend to be slow in applying patches and quite often people turn off Windows Update entirely because they find it annoying and quite often the updates cause more problems than they solve (Black screen of death etc).

Plus the fact that it’s easily exploitable in the browser, this is not a complex multi-layered attack or something that needs network exposure to work.

A lot of anti-virus software vendors have issued updates that detect this exploit and will help mitigate against the threat until a proper patch is issued by Microsoft.


The latest vulnerability is particularly serious because it can be easily exploited. “The only thing you have to do is visit a website that’s been compromised, and you’re going to compromise your system,” Carey said. “Anyone running Internet Explorer should be terrified unless they apply the [Microsoft] fix-it.”

MSXML is a set of services used in building Windows-native XML-based applications. The latest flaw affects all releases of Windows and Office 2003 and 2007. A successful attacker could use the vulnerability to gain full user rights to a PC, Microsoft said.

Until a patch is released, the Microsoft workaround is the only way to stymie hackers. Many security vendors have updated their products to detect malicious code that tries to exploit the vulnerability. “Although security software can protect against this vulnerability, let’s hope that Microsoft can release a proper patch sooner rather than later,” Paul Baccas, senior threat researcher at Sophos, said in the company’s blog.

Google reported the vulnerability to Microsoft on May 30 and worked with the software maker.

The vulnerability notation for this is: CVE-2012-1889 – if you want to keep tabs what’s going on with it.

The Microsoft advisory for this is here: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Source: Network World

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , , , ,


Latest Posts:


Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.
Yuki Chan - Automated Penetration Testing Tool Yuki Chan – Automated Penetration Testing Tool
Yuki Chan is an Automated Penetration Testing Tool that carries out a whole range of standard security auditing tasks automatically.


One Response to Windows XML Core Services Exploit Attacked In The Wild – CVE-2012-1889

  1. Johan July 3, 2012 at 9:35 pm #

    Yes, it’s a serious problem, given that it’s now part of an exploit kit. That said, there is a fix it solution that you could have linked to at http://go.microsoft.com/?linkid=9811924 that disables the attack vector if you were interested in doing your readers a service.

    With regard to Windows Update: as someone with who does this for a living and have 25+ years of experience of programming, trust me when I tell you that it is incomparably superior to any other update service in the history of the universe. Yes, it’s possible to confuse it if you try really, really, really hard, but it routinely and with extraordinarily few exceptions successfully updates billions of computers that look nothing alike. Finding excuses for not applying updates is as insightful as closing your eyes before crossing the street.