Linky! Where you bean? On Sat, Jun 23, 2012 at 4:06 PM, Jonathan Link <[email protected]>wrote:
> Fabulous! > > > On Sat, Jun 23, 2012 at 3:01 PM, Ben Scott <[email protected]> wrote: > >> Reports of zero-day attacks. Exploitable via web pages or Office >> documents. All current versions of Windows/MSIE. Office prior to >> 2010. No proper update yet. CERT bulletin, with links, below. >> >> There's a "FixIt" that is supposed to block an attack vector, but I >> can't find any info on what it actually does. One of MSFT's other >> suggestions is to disable web scripting, which breaks most websites >> that businesses are interested in these days, so their collateral >> damage threshold is apparently fairly high on this one, which makes me >> rather leery of an undocumented patch. >> >> Third-party analysis[1] says the "FixIt" patches a running MSIE >> using AppCompat shims. It's still not evident what the patch actually >> does, nor if this fixes Office. >> >> [1] >> https://isc.sans.edu/diary/Microsoft+Security+Advisory+2719615+-+MSXML+-+CVE-2012-1889/13459 >> >> >> ---------- Forwarded message ---------- >> From: US-CERT Alerts <[email protected]> >> Date: Fri, Jun 22, 2012 at 7:13 PM >> Subject: US-CERT Alert TA12-174A - Microsoft XML Core Services Attack >> Activity >> To: [email protected] >> >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> National Cyber Awareness System >> >> Technical Cyber Security Alert TA12-174A >> >> >> Microsoft XML Core Services Attack Activity >> >> Original release date: June 22, 2012 >> Last revised: -- >> Source: US-CERT >> >> >> Systems Affected >> >> Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. >> Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft >> Office 2007 are affected due to their use of XML Core Services. >> >> >> Overview >> >> Microsoft Security Advisory (2719615) warns of active attacks using >> a vulnerability in Microsoft XML Core Services. Microsoft Internet >> Explorer and Microsoft Office can be used as attack vectors. >> >> >> Description >> >> Microsoft Security Advisory (2719615), a Google Online Security >> blog post, Sophos, and other sources report active attacks >> exploiting a vulnerability in Microsoft XML Core Services >> (CVE-2012-1889). Attack scenarios involve exploits served by >> compromised web sites and delivered in Office documents. Reliable >> public exploit code is available, and attacks may become more >> widespread. >> >> >> Impact >> >> By convincing a victim to view a specially crafted web page or >> Office document, an attacker could execute arbitrary code and take >> any action as the victim. >> >> >> Solution >> >> As of June 22, 2012, a comprehensive update is not available. >> Consider the following workarounds. >> >> Apply Fix it >> >> Apply the Fix it solution described in Microsoft Knowledge Base >> Article 2719615. This solution uses the Application >> Compatibility Database feature to make runtime modifications to >> XML Core Services to patch the vulnerability. >> >> Disable scripting >> >> Configure Internet Explorer to disable Active Scripting in the >> Internet and Local intranet zones as described in Microsoft >> Security Advisory (2719615). See also Securing Your Web Browser. >> >> Use the Enhanced Mitigation Experience Toolkit (EMET) >> >> EMET is a utility to configure Windows runtime mitigation >> features such as Data Execution Prevention (DEP), Address Space >> Layout Randomization (ASLR), and Structured Exception Handler >> Overwrite Protection (SEHOP). These features, particularly the >> combination of system-wide DEP and ASLR, make it more difficult >> for an attacker to successfully exploit a vulnerability. >> Configure EMET for Internet Explorer as described in Microsoft >> Security Advisory (2719615). >> >> >> References >> >> * Microsoft Security Advisory (2719615) - >> <https://technet.microsoft.com/en-us/security/advisory/2719615> >> >> * Microsoft Security Advisory: Vulnerability in Microsoft XML Core >> Services could allow remote code execution - >> <http://support.microsoft.com/kb/2719615> >> >> * NVD Vulnerability Summary for CVE-2012-1889 - >> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889> >> >> * Microsoft XML vulnerability under active exploitation - >> < >> http://googleonlinesecurity.blogspot.com/2012/06/microsoft-xml-vulnerability-under.html >> > >> >> * European aeronautical supplier's website infected with >> "state-sponsored" zero-day exploit - >> < >> http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/ >> > >> >> * Securing Your Web Browser - >> <https://www.us-cert.gov/reading_room/securing_browser/> >> >> * Application Compatibility Database - >> <http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx> >> >> >> Revision History >> >> June 22, 2012: Initial release >> >> ____________________________________________________________________ >> >> Feedback can be directed to US-CERT Technical Staff. Please send >> email to <[email protected]> with "TA12-174A Feedback VU#783993" in >> the subject. >> ____________________________________________________________________ >> >> Feedback can be directed to US-CERT Technical Staff. Please send >> email to <[email protected]> with "TA12-174A Feedback VU#783993" in >> the subject. >> ____________________________________________________________________ >> >> Produced by US-CERT, a government organization. >> ____________________________________________________________________ >> >> This product is provided subject to this Notification: >> http://www.us-cert.gov/privacy/notification.html >> >> Privacy & Use policy: >> http://www.us-cert.gov/privacy/ >> >> This document can also be found at >> http://www.us-cert.gov/cas/techalerts/TA12-174A.html >> >> For instructions on subscribing to or unsubscribing from this >> mailing list, visit http://www.us-cert.gov/cas/signup.html >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.5 (GNU/Linux) >> >> iQEVAwUBT+TZH3dnhE8Qi3ZhAQIjggf+O+mOYAEj9Lhq05KCWunmNoLREdH8ura3 >> DVnvdz+PBgQwxJXCl2fxCvJ56nPnxgKoDvtKWHDdFePfmS1+Tmp9/DnXoEY8tFCd >> SlqYoL+jUuxJGQk4oxbTP/U2Gcu1GSOgpc4sj5WGiuHFQa1iDEJ+rSG2myUqyIEu >> B5HsYiqOGHXyynXWxdr5W9/37owlfXWJeazs2aviqGIKq/5uz78NHy/RHMnphOhI >> qCZzRnHHkyHeS0JojqCnJjNeDoLMaMUzdEzRsZt4bY0YgonRJnRSaEgPlKGvvfSo >> nIeTdyDIZQVsN6H0yjSaN+whlS30BFiasDtLw50omazYdkSv2jJHCg== >> =7lRz >> -----END PGP SIGNATURE----- >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
