Reports are coming in thick and fast about 'state-sponsored' zero-day exploits hitting business websites in the UK. The latest, disclosed yesterday by SophosLabs, involves an as yet unnamed European aeronautical parts supplier and follows on from another the day before involving a European medical company site. In both cases the same unpatched vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that can allow remote code execution, as detailed in Microsoft Security Advisory 2719615 appears to have been successfully exploited.
The senior technology consultant at Sophos, Graham Cluley, sees this as an attempt to break into larger organisations by targeting the supply chain. "It's reasonable to speculate that whoever was behind this attack actually had bigger fish to fry; the type of businesses that regularly visit the websites of aeronautical suppliers such as defence companies" Cluley says, adding "don't underestimate the seriousness of this vulnerability, it's being actively exploited in the wild and there is currently no patch available for it".
This critical 'CVE-2012-1889' vulnerability has been linked to state-sponsored attacks in recent warnings from Google. Andrew Lyons, a security engineer with Google, warned that it had first reported the vulnerability being exploited in the wild to Microsoft on May 30th. Yet it was not included in the Patch Tuesday fixes for June. So why hasn't Microsoft fixed it yet?
Well actually Microsoft has fixed it, if you know where to look, what to download and how to apply it across your network. Unfortunately this will probably preclude the vast majority of Internet Explorer and Microsoft Office users who will just wait for the usual monthly 'important updates are available' message. I would like to think that DaniWeb members, and those who read this article, are a little more savvy than that. Microsoft itself recommends you apply the Fix-It sticking plaster, as does every IT security expert I have spoken to, so what are you waiting for? Head over the Microsoft FixItForMe support page for this vulnerability and you will be able to follow the straightforward instructions there whether you are fixing a single machine or need to roll out the fix across multiple machines using Microsoft System Center Configuration Manager 2007 in conjunction with the SDBInst.exe command.
Microsoft says that the vulnerability exists when "MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user" and that upon completion of investigation it will take the appropriate action which "may include providing a security update through our monthly release process or providing an out-of-cycle security update". In the meantime, Microsoft "encourages customers running an affected configuration to apply the Fix it solution as soon as possible".
Here's the link to that FixIt download again...