Reports are coming in thick and fast about 'state-sponsored' zero-day exploits hitting business websites in the UK. The latest, disclosed yesterday by SophosLabs, involves an as yet unnamed European aeronautical parts supplier and follows on from another the day before involving a European medical company site. In both cases the same unpatched vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that can allow remote code execution, as detailed in Microsoft Security Advisory 2719615 appears to have been successfully exploited.
The vulnerability impacts users of all currently supported versions of Windows including Windows 7, as well as Microsoft Office 2003 and 2007 and is serious enough that a successful exploit as seen in both the attacks discovered this week can launch a drive-by compromise which simply requires a user to visit the infected website to become a victim. Assuming, that is, they do not have anti-malware protection installed that spots the thing or have disabled JaveScript which it uses. Both the sites identified by SophosLabs had four files dropped into them by the attackers: deploy.html containing the vulnerability itself and loading the JavaScript library deployJava.js which interrogates your browser, movie.swf is then run if possible in order to compromise your computer and for good measure an iframe is loaded into faq.htm as well. The end result is that the attacker can potentially gain the same user rights as whoever is using the target computer at the time.
As well as having an up-to-date anti-malware solution running, and disabling JavaScript, the effects of this kind of attack can be mitigated by not configuring user accounts with admin level rights. Users of Internet Explorer running by default in the Enhanced Security Configuration on Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2 further mitigate the vulnerability by operating in this restricted mode.
The senior technology consultant at Sophos, Graham Cluley, sees this as an attempt to break into larger organisations by targeting the supply chain. "It's reasonable to speculate that whoever was behind this attack actually had bigger fish to fry; the type of businesses that regularly visit the websites of aeronautical suppliers such as defence companies" Cluley says, adding "don't underestimate the seriousness of this vulnerability, it's being actively exploited in the wild and there is currently no patch available for it".
This critical 'CVE-2012-1889' vulnerability has been linked to state-sponsored attacks in recent warnings from Google. Andrew Lyons, a security engineer with Google, warned that it had first reported the vulnerability being exploited in the wild to Microsoft on May 30th. Yet it was not included in the Patch Tuesday fixes for June. So why hasn't Microsoft fixed it yet?
Well actually Microsoft has fixed it, if you know where to look, what to download and how to apply it across your network. Unfortunately this will probably preclude the vast majority of Internet Explorer and Microsoft Office users who will just wait for the usual monthly 'important updates are available' message. I would like to think that DaniWeb members, and those who read this article, are a little more savvy than that. Microsoft itself recommends you apply the Fix-It sticking plaster, as does every IT security expert I have spoken to, so what are you waiting for? Head over the Microsoft FixItForMe support page for this vulnerability and you will be able to follow the straightforward instructions there whether you are fixing a single machine or need to roll out the fix across multiple machines using Microsoft System Center Configuration Manager 2007 in conjunction with the SDBInst.exe command.
Microsoft says that the vulnerability exists when "MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user" and that upon completion of investigation it will take the appropriate action which "may include providing a security update through our monthly release process or providing an out-of-cycle security update". In the meantime, Microsoft "encourages customers running an affected configuration to apply the Fix it solution as soon as possible".
Here's the link to that FixIt download again...
