copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0539 - ALERT [Win] Microsoft XML Core Services: Execute arbitrary code/commands - Remote with user interaction

Date: 13 June 2012
References: ESB-2012.0655  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0539
 Microsoft Security Advisory (2719615) Vulnerability in Microsoft XML Core
                Services Could Allow Remote Code Execution
                               13 June 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft XML Core Services
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-1889  

Original Bulletin: 
   http://technet.microsoft.com/en-us/security/advisory/2719615

Comment: This vulnerability has been reported as being actively exploited.

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory (2719615)

Vulnerability in Microsoft XML Core Services Could Allow Remote
Code Execution

Published: Tuesday, June 12, 2012

Version: 1.0 General Information Executive Summary

Microsoft is aware of active attacks that leverage a vulnerability
in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability
could allow remote code execution if a user views a specially crafted
webpage using Internet Explorer. An attacker would have no way to
force users to visit such a website. Instead, an attacker would
have to convince users to visit the website, typically by getting
them to click a link in an email message or Instant Messenger message
that takes them to the attacker's website. The vulnerability affects
all supported releases of Microsoft Windows, and all supported
editions of Microsoft Office 2003 and Microsoft Office 2007.

The vulnerability exists when MSXML attempts to access an object
in memory that has not been initialized, which may corrupt memory
in such a way that an attacker could execute arbitrary code in the
context of the logged-on user.

Mitigating Factors:

o    In a web-based attack scenario, an attacker would have to host
a website that contains a specially crafted web page that is used
to exploit this vulnerability. An attacker would have no way to
force users to visit such a website. Instead, an attacker would
have to convince users to visit the website, typically by getting
them to click a link in an email message or Instant Messenger message
that takes them to the attacker's website.

o    An attacker who successfully exploited this vulnerability could
gain the same user rights as the logged on user. Users whose accounts
are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

o    By default, Internet Explorer on Windows Server 2003, Windows
Server 2008, and Windows Server 2008 R2 runs in a restricted mode
that is known as Enhanced Security Configuration. This mode mitigates
this vulnerability. See the FAQ section for this vulnerability for
more information about Internet Explorer Enhanced Security
Configuration.

Recommendation. 

A Microsoft Fix it solution is available that blocks the attack
vector for this vulnerability. Microsoft encourages customers running
an affected configuration to apply the Fix it solution as soon as
possible. Please see the Suggested Actions section of this advisory
for more information.

CVE Reference				CVE-2012-1889
Microsoft Knowledge Base Article	KB2719615

Affected Software

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2007 Service Pack 3

Suggested Actions

Apply the Microsoft Fix it solution that blocks the attack vector
for this vulnerability

See Microsoft Knowledge Base Article 2719615 for instructions on
applying an automated Microsoft Fix it solution that blocks the
attack vector for the vulnerability addressed in this advisory. We
recommend that administrators review the KB article closely prior
to deploying this Fix it solution.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT9f1Ce4yVqjM2NGpAQIsihAAuW98DW+LcNTwXfI2tnZSUMAVn89LEpRf
CsDxENgVbTi7CPWQXqk7QwxAoiPoXeNwgvlYxMIcWk34F2Npzb+8yXvnPppXTQIn
GENGcPbsduPBM4VfcrEmXlLCPJ7v8INBXHF1I3nIwM3WkF4gSFJfG1NaVTY6jGab
Q9J6PdjPlOZ3bmP5PgjvUJ4apNe8PMc51nwFW6JvabjCCZDeLNZ5rAxKkl+G1jQr
zOG+k1J71imkmxxXfryTfy8NRDV5A5eY/MBohnWho8fRFEjtKqAg84EWqblKpEny
fT3MDbDnW2b6hn15D5tJdOgS7V69vXskaRfpjpn6RSMsd8KYFZglNbCHTp1jmBiI
O4wcXnmXMZa63be/LWBKJiu0umVXpJAx5YRdLaFR4exsaUXJG+Iafu1fEK0Cu2J7
3U/27wDOjKgtl9U21JY8UzKBBR8gs4R90ou5e+pbRlVpau9acY8f6NVgyQb2wxNv
7NC8C0GMdMdHDGA2SPrG5pdOr8ohGWEhTrK8h/8FnH5GI5r6lajjJKliWmZQ107x
p45uCMmNGLkf/f0qL+JAXU4+SdCgO/nlvndsCEH0sKrdjQ9gnvhw5Szjx8aD8jHP
HocJV8FJwtjsio5rOrEsdTUTUaXQIPxGc+LFxwT5IYR1ApZ+Ge7MmX1g+mfPWBcD
Vp0xDAmGCqI=
=8fZ1
-----END PGP SIGNATURE-----