I haven't seen many recent comments on this issue, though... * *
*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Sat, Jun 23, 2012 at 3:01 PM, Ben Scott <[email protected]> wrote: > Reports of zero-day attacks. Exploitable via web pages or Office > documents. All current versions of Windows/MSIE. Office prior to > 2010. No proper update yet. CERT bulletin, with links, below. > > There's a "FixIt" that is supposed to block an attack vector, but I > can't find any info on what it actually does. One of MSFT's other > suggestions is to disable web scripting, which breaks most websites > that businesses are interested in these days, so their collateral > damage threshold is apparently fairly high on this one, which makes me > rather leery of an undocumented patch. > > Third-party analysis[1] says the "FixIt" patches a running MSIE > using AppCompat shims. It's still not evident what the patch actually > does, nor if this fixes Office. > > [1] > https://isc.sans.edu/diary/Microsoft+Security+Advisory+2719615+-+MSXML+-+CVE-2012-1889/13459 > > > ---------- Forwarded message ---------- > From: US-CERT Alerts <[email protected]> > Date: Fri, Jun 22, 2012 at 7:13 PM > Subject: US-CERT Alert TA12-174A - Microsoft XML Core Services Attack > Activity > To: [email protected] > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > National Cyber Awareness System > > Technical Cyber Security Alert TA12-174A > > > Microsoft XML Core Services Attack Activity > > Original release date: June 22, 2012 > Last revised: -- > Source: US-CERT > > > Systems Affected > > Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. > Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft > Office 2007 are affected due to their use of XML Core Services. > > > Overview > > Microsoft Security Advisory (2719615) warns of active attacks using > a vulnerability in Microsoft XML Core Services. Microsoft Internet > Explorer and Microsoft Office can be used as attack vectors. > > > Description > > Microsoft Security Advisory (2719615), a Google Online Security > blog post, Sophos, and other sources report active attacks > exploiting a vulnerability in Microsoft XML Core Services > (CVE-2012-1889). Attack scenarios involve exploits served by > compromised web sites and delivered in Office documents. Reliable > public exploit code is available, and attacks may become more > widespread. > > > Impact > > By convincing a victim to view a specially crafted web page or > Office document, an attacker could execute arbitrary code and take > any action as the victim. > > > Solution > > As of June 22, 2012, a comprehensive update is not available. > Consider the following workarounds. > > Apply Fix it > > Apply the Fix it solution described in Microsoft Knowledge Base > Article 2719615. This solution uses the Application > Compatibility Database feature to make runtime modifications to > XML Core Services to patch the vulnerability. > > Disable scripting > > Configure Internet Explorer to disable Active Scripting in the > Internet and Local intranet zones as described in Microsoft > Security Advisory (2719615). See also Securing Your Web Browser. > > Use the Enhanced Mitigation Experience Toolkit (EMET) > > EMET is a utility to configure Windows runtime mitigation > features such as Data Execution Prevention (DEP), Address Space > Layout Randomization (ASLR), and Structured Exception Handler > Overwrite Protection (SEHOP). These features, particularly the > combination of system-wide DEP and ASLR, make it more difficult > for an attacker to successfully exploit a vulnerability. > Configure EMET for Internet Explorer as described in Microsoft > Security Advisory (2719615). > > > References > > * Microsoft Security Advisory (2719615) - > <https://technet.microsoft.com/en-us/security/advisory/2719615> > > * Microsoft Security Advisory: Vulnerability in Microsoft XML Core > Services could allow remote code execution - > <http://support.microsoft.com/kb/2719615> > > * NVD Vulnerability Summary for CVE-2012-1889 - > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889> > > * Microsoft XML vulnerability under active exploitation - > < > http://googleonlinesecurity.blogspot.com/2012/06/microsoft-xml-vulnerability-under.html > > > > * European aeronautical supplier's website infected with > "state-sponsored" zero-day exploit - > < > http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/ > > > > * Securing Your Web Browser - > <https://www.us-cert.gov/reading_room/securing_browser/> > > * Application Compatibility Database - > <http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx> > > > Revision History > > June 22, 2012: Initial release > > ____________________________________________________________________ > > Feedback can be directed to US-CERT Technical Staff. Please send > email to <[email protected]> with "TA12-174A Feedback VU#783993" in > the subject. > ____________________________________________________________________ > > Feedback can be directed to US-CERT Technical Staff. Please send > email to <[email protected]> with "TA12-174A Feedback VU#783993" in > the subject. > ____________________________________________________________________ > > Produced by US-CERT, a government organization. > ____________________________________________________________________ > > This product is provided subject to this Notification: > http://www.us-cert.gov/privacy/notification.html > > Privacy & Use policy: > http://www.us-cert.gov/privacy/ > > This document can also be found at > http://www.us-cert.gov/cas/techalerts/TA12-174A.html > > For instructions on subscribing to or unsubscribing from this > mailing list, visit http://www.us-cert.gov/cas/signup.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > > iQEVAwUBT+TZH3dnhE8Qi3ZhAQIjggf+O+mOYAEj9Lhq05KCWunmNoLREdH8ura3 > DVnvdz+PBgQwxJXCl2fxCvJ56nPnxgKoDvtKWHDdFePfmS1+Tmp9/DnXoEY8tFCd > SlqYoL+jUuxJGQk4oxbTP/U2Gcu1GSOgpc4sj5WGiuHFQa1iDEJ+rSG2myUqyIEu > B5HsYiqOGHXyynXWxdr5W9/37owlfXWJeazs2aviqGIKq/5uz78NHy/RHMnphOhI > qCZzRnHHkyHeS0JojqCnJjNeDoLMaMUzdEzRsZt4bY0YgonRJnRSaEgPlKGvvfSo > nIeTdyDIZQVsN6H0yjSaN+whlS30BFiasDtLw50omazYdkSv2jJHCg== > =7lRz > -----END PGP SIGNATURE----- > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
