Reports of zero-day attacks. Exploitable via web pages or Office documents. All current versions of Windows/MSIE. Office prior to 2010. No proper update yet. CERT bulletin, with links, below.
There's a "FixIt" that is supposed to block an attack vector, but I can't find any info on what it actually does. One of MSFT's other suggestions is to disable web scripting, which breaks most websites that businesses are interested in these days, so their collateral damage threshold is apparently fairly high on this one, which makes me rather leery of an undocumented patch. Third-party analysis[1] says the "FixIt" patches a running MSIE using AppCompat shims. It's still not evident what the patch actually does, nor if this fixes Office. [1] https://isc.sans.edu/diary/Microsoft+Security+Advisory+2719615+-+MSXML+-+CVE-2012-1889/13459 ---------- Forwarded message ---------- From: US-CERT Alerts <[email protected]> Date: Fri, Jun 22, 2012 at 7:13 PM Subject: US-CERT Alert TA12-174A - Microsoft XML Core Services Attack Activity To: [email protected] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Awareness System Technical Cyber Security Alert TA12-174A Microsoft XML Core Services Attack Activity Original release date: June 22, 2012 Last revised: -- Source: US-CERT Systems Affected Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft Office 2007 are affected due to their use of XML Core Services. Overview Microsoft Security Advisory (2719615) warns of active attacks using a vulnerability in Microsoft XML Core Services. Microsoft Internet Explorer and Microsoft Office can be used as attack vectors. Description Microsoft Security Advisory (2719615), a Google Online Security blog post, Sophos, and other sources report active attacks exploiting a vulnerability in Microsoft XML Core Services (CVE-2012-1889). Attack scenarios involve exploits served by compromised web sites and delivered in Office documents. Reliable public exploit code is available, and attacks may become more widespread. Impact By convincing a victim to view a specially crafted web page or Office document, an attacker could execute arbitrary code and take any action as the victim. Solution As of June 22, 2012, a comprehensive update is not available. Consider the following workarounds. Apply Fix it Apply the Fix it solution described in Microsoft Knowledge Base Article 2719615. This solution uses the Application Compatibility Database feature to make runtime modifications to XML Core Services to patch the vulnerability. Disable scripting Configure Internet Explorer to disable Active Scripting in the Internet and Local intranet zones as described in Microsoft Security Advisory (2719615). See also Securing Your Web Browser. Use the Enhanced Mitigation Experience Toolkit (EMET) EMET is a utility to configure Windows runtime mitigation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP). These features, particularly the combination of system-wide DEP and ASLR, make it more difficult for an attacker to successfully exploit a vulnerability. Configure EMET for Internet Explorer as described in Microsoft Security Advisory (2719615). References * Microsoft Security Advisory (2719615) - <https://technet.microsoft.com/en-us/security/advisory/2719615> * Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution - <http://support.microsoft.com/kb/2719615> * NVD Vulnerability Summary for CVE-2012-1889 - <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889> * Microsoft XML vulnerability under active exploitation - <http://googleonlinesecurity.blogspot.com/2012/06/microsoft-xml-vulnerability-under.html> * European aeronautical supplier's website infected with "state-sponsored" zero-day exploit - <http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/> * Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/> * Application Compatibility Database - <http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx> Revision History June 22, 2012: Initial release ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <[email protected]> with "TA12-174A Feedback VU#783993" in the subject. ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <[email protected]> with "TA12-174A Feedback VU#783993" in the subject. ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to this Notification: http://www.us-cert.gov/privacy/notification.html Privacy & Use policy: http://www.us-cert.gov/privacy/ This document can also be found at http://www.us-cert.gov/cas/techalerts/TA12-174A.html For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT+TZH3dnhE8Qi3ZhAQIjggf+O+mOYAEj9Lhq05KCWunmNoLREdH8ura3 DVnvdz+PBgQwxJXCl2fxCvJ56nPnxgKoDvtKWHDdFePfmS1+Tmp9/DnXoEY8tFCd SlqYoL+jUuxJGQk4oxbTP/U2Gcu1GSOgpc4sj5WGiuHFQa1iDEJ+rSG2myUqyIEu B5HsYiqOGHXyynXWxdr5W9/37owlfXWJeazs2aviqGIKq/5uz78NHy/RHMnphOhI qCZzRnHHkyHeS0JojqCnJjNeDoLMaMUzdEzRsZt4bY0YgonRJnRSaEgPlKGvvfSo nIeTdyDIZQVsN6H0yjSaN+whlS30BFiasDtLw50omazYdkSv2jJHCg== =7lRz -----END PGP SIGNATURE----- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
