Attack code published for two actively exploited vulnerabilities in Microsoft software
- 18 June, 2012 19:25
- Comments
Attack code for two actively exploited vulnerabilities in Microsoft software, one of which has not yet been patched, was integrated into the open-source Metasploit penetration testing framework.
One of the vulnerabilities is identified as CVE-2012-1875 and is located in Internet Explorer. Attackers can exploit it to execute malicious code by tricking users into visiting a specially crafted Web page or opening a Microsoft Office document that has a malicious ActiveX control embedded into it.
Microsoft addressed the security flaw on Tuesday as part of its MS12-037 security bulletin, but according to security researchers from antivirus vendor McAfee, the vulnerability had been actively exploited in attacks since at least June 1.
The flaw was recently used by hackers to infect the computers of people who visited Amnesty International's Hong Kong website with malware, security researchers from Symantec said in a blog post on Monday.
"Microsoft is aware of limited attacks attempting to exploit the vulnerability," Microsoft said on Tuesday. "However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published."
That has now changed. The attack code for CVE-2012-1875 integrated into Metasploit targets Internet Explorer 8 on Windows XP with Service Pack 3.
The second actively exploited vulnerability for which an exploit module was added to Metasploit is identified as CVE-2012-1889 and is located in Microsoft XML Core Services.
According to researchers from security vendor Trend Micro, attacks targeting this particular flaw prompted Google to display warnings about state-sponsored attacks to Gmail users earlier this month.
Microsoft has yet to release a security patch for this vulnerability. However, a Microsoft "Fix it" tool that blocks the attack vector is available for download.
Even though the vulnerability affects versions 3, 4, 5 and 6 of Microsoft XML Core Services and can be exploited through both Internet Explorer and Microsoft Office, the exploit integrated into Metasploit only targets Microsoft XML Core Services 3.0 via IE6 and IE7 on Windows XP SP3.
The public availability of exploit code for both of these vulnerabilities increases the chances that they will be exploited in new attacks. Users are advised to install the security patch for CVE-2012-1875 and the Microsoft Fix it tool for CVE-2012-1889 as soon as possible in order to protect themselves.
Recommended
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Larry Page wants to see your medical records
-
Dual-Persona Smartphones Not a BYOD Panacea
-
After two-year hiatus, EFF accepts bitcoin donations again
-
CIOs struggle to deliver timely mobile business apps: survey
-
Spiceworks' free management software gets integrated MDM
-
Endpoint Protection Overview
With the exponential growth and sophistication of malware today, the security industry can no longer afford to ‘bury its head in the sand’. The bottom line is that traditional endpoint security protection is now ineffective due to the sheer volume, quality, and complexity of malware. This paper looks at this problem and how Webroot, by going back to the drawing board on countering malware threats, is revolutionising endpoint protection and solving the issues that hinder existing endpoint security solutions. Download now. -
Leading Through Connections – Insights from the Global Chief Executive Officer Study
IBM’s 2012 Global CEO study follows face-to-face discussions with more than 1,700 CEOs and senior public sector leaders from around the globe. The findings examine how CEOs are responding to the complexity of increasingly interconnected organisations, markets, societies and governments. For example, almost one-quarter of CEOs say their organisations operate below par in terms of driving value from data. CEOs have expressed frustration about their inability to capitalise on available information. This is because: “The time available to capture, interpret and act on information is getting shorter and shorter.” CEO, Chemicals and Petroleum, United States Given the need for deeper business insight, the best performing organisations are more adept at converting complex data into insights, and insights into action. Download Entire Report Now. -
Customer Success - Slater & Gordon Lawyers
Lawyers work hard, and they work fast. Any activity that takes their focus away from the task at hand represents lost productivity and lost revenue. Slater & Gordon Lawyers needed to filter spam and email-borne malware and provide high availability for email. Results from the business solution they chose include 250 hours of IT staff time reclaimed annually for other tasks, long delays in email delivery alleviated, reduced email-related storage costs, and email failover to the cloud in minutes, avoiding hours-long outages. Find out how they got these results.
Get exclusive access to Invitation only events CIO, reports & analysis. 
