1

Reports are coming in thick and fast about 'state-sponsored' zero-day exploits hitting business websites in the UK. The latest, disclosed yesterday by SophosLabs, involves an as yet unnamed European aeronautical parts supplier and follows on from another the day before involving a European medical company site. In both cases the same unpatched vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that can allow remote code execution, as detailed in Microsoft Security Advisory 2719615 appears to have been successfully exploited.

dweb-fixit01 The vulnerability impacts users of all currently supported versions of Windows including Windows 7, as well as Microsoft Office 2003 and 2007 and is serious enough that a successful exploit as seen in both the attacks discovered this week can launch a drive-by compromise which simply requires a user to visit the infected website to become a victim. Assuming, that is, they do not have anti-malware protection installed that spots the thing or have disabled JaveScript which it uses. Both the sites identified by SophosLabs had four files dropped into them by the attackers: deploy.html containing the vulnerability itself and loading the JavaScript library deployJava.js which interrogates your browser, movie.swf is then run if possible in order to compromise your computer and for good measure an iframe is loaded into faq.htm as well. The end result is that the attacker can potentially gain the same user rights as whoever is using the target computer at the time.

As well as having an up-to-date anti-malware solution running, and disabling JavaScript, the effects of this kind of attack can be mitigated by not configuring user accounts with admin level rights. Users of Internet Explorer running by default in the Enhanced Security Configuration on Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2 further mitigate the vulnerability by operating in this restricted mode.

The senior technology consultant at Sophos, Graham Cluley, sees this as an attempt to break into larger organisations by targeting the supply chain. "It's reasonable to speculate that whoever was behind this attack actually had bigger fish to fry; the type of businesses that regularly visit the websites of aeronautical suppliers such as defence companies" Cluley says, adding "don't underestimate the seriousness of this vulnerability, it's being actively exploited in the wild and there is currently no patch available for it".

This critical 'CVE-2012-1889' vulnerability has been linked to state-sponsored attacks in recent warnings from Google. Andrew Lyons, a security engineer with Google, warned that it had first reported the vulnerability being exploited in the wild to Microsoft on May 30th. Yet it was not included in the Patch Tuesday fixes for June. So why hasn't Microsoft fixed it yet?

Well actually Microsoft has fixed it, if you know where to look, what to download and how to apply it across your network. Unfortunately this will probably preclude the vast majority of Internet Explorer and Microsoft Office users who will just wait for the usual monthly 'important updates are available' message. I would like to think that DaniWeb members, and those who read this article, are a little more savvy than that. Microsoft itself recommends you apply the Fix-It sticking plaster, as does every IT security expert I have spoken to, so what are you waiting for? Head over the Microsoft FixItForMe support page for this vulnerability and you will be able to follow the straightforward instructions there whether you are fixing a single machine or need to roll out the fix across multiple machines using Microsoft System Center Configuration Manager 2007 in conjunction with the SDBInst.exe command.

Microsoft says that the vulnerability exists when "MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user" and that upon completion of investigation it will take the appropriate action which "may include providing a security update through our monthly release process or providing an out-of-cycle security update". In the meantime, Microsoft "encourages customers running an affected configuration to apply the Fix it solution as soon as possible".

Here's the link to that FixIt download again...

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

4
Contributors
3
Replies
20
Views
5 Years
Discussion Span
Last Post by jwenting
0

Unfortunately this will probably preclude the vast majority of Internet Explorer and Microsoft Office users who will just wait for the usual monthly 'important updates are available' message. I would like to think that DaniWeb members, and those who read this article, are a little more savvy than that. Microsoft itself recommends you apply the Fix-It sticking plaster, as does every IT security expert I have spoken to, so what are you waiting for?

Good article. I read about this attack.

Microsoft did created the Fix (patch) to blocks the potential attack in Internet Explorer.

0

You shouldn't have anything on a computer connected to the internet that China etc. would have any interest in. The US government can't seem to figure that out - hell! they lost the plans to a new fighter design - DUH!

0

complete bollocks that most users will just wait for the MONTHLY update message. Microsoft releases updates once a week through Windows Update and critical fixes more frequently in emergencies.
As most Windows machines come with Windows Update preconfigured to automatically download and install, most everyone will have the fix within at most a week of it being released.

The only exception might be corporate machines where the updates are handled by a company run server that produces a package of its own with multiple updates from several vendors and pushes that at whatever intervals (or at the push of a button by a sys admin), but those tend to have pretty sturdy firewalls and up to date AV products at multiple levels to block things like this.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.