Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0539 Microsoft Security Advisory (2719615) Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution 13 June 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft XML Core Services Publisher: Microsoft Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-1889 Original Bulletin: http://technet.microsoft.com/en-us/security/advisory/2719615 Comment: This vulnerability has been reported as being actively exploited. - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Advisory (2719615) Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution Published: Tuesday, June 12, 2012 Version: 1.0 General Information Executive Summary Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. Mitigating Factors: o In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. o An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. o By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this vulnerability for more information about Internet Explorer Enhanced Security Configuration. Recommendation. A Microsoft Fix it solution is available that blocks the attack vector for this vulnerability. Microsoft encourages customers running an affected configuration to apply the Fix it solution as soon as possible. Please see the Suggested Actions section of this advisory for more information. CVE Reference CVE-2012-1889 Microsoft Knowledge Base Article KB2719615 Affected Software Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Windows Server 2008 R2 for Itanium-based Systems Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 2 Microsoft Office 2007 Service Pack 3 Suggested Actions Apply the Microsoft Fix it solution that blocks the attack vector for this vulnerability See Microsoft Knowledge Base Article 2719615 for instructions on applying an automated Microsoft Fix it solution that blocks the attack vector for the vulnerability addressed in this advisory. We recommend that administrators review the KB article closely prior to deploying this Fix it solution. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT9f1Ce4yVqjM2NGpAQIsihAAuW98DW+LcNTwXfI2tnZSUMAVn89LEpRf CsDxENgVbTi7CPWQXqk7QwxAoiPoXeNwgvlYxMIcWk34F2Npzb+8yXvnPppXTQIn GENGcPbsduPBM4VfcrEmXlLCPJ7v8INBXHF1I3nIwM3WkF4gSFJfG1NaVTY6jGab Q9J6PdjPlOZ3bmP5PgjvUJ4apNe8PMc51nwFW6JvabjCCZDeLNZ5rAxKkl+G1jQr zOG+k1J71imkmxxXfryTfy8NRDV5A5eY/MBohnWho8fRFEjtKqAg84EWqblKpEny fT3MDbDnW2b6hn15D5tJdOgS7V69vXskaRfpjpn6RSMsd8KYFZglNbCHTp1jmBiI O4wcXnmXMZa63be/LWBKJiu0umVXpJAx5YRdLaFR4exsaUXJG+Iafu1fEK0Cu2J7 3U/27wDOjKgtl9U21JY8UzKBBR8gs4R90ou5e+pbRlVpau9acY8f6NVgyQb2wxNv 7NC8C0GMdMdHDGA2SPrG5pdOr8ohGWEhTrK8h/8FnH5GI5r6lajjJKliWmZQ107x p45uCMmNGLkf/f0qL+JAXU4+SdCgO/nlvndsCEH0sKrdjQ9gnvhw5Szjx8aD8jHP HocJV8FJwtjsio5rOrEsdTUTUaXQIPxGc+LFxwT5IYR1ApZ+Ge7MmX1g+mfPWBcD Vp0xDAmGCqI= =8fZ1 -----END PGP SIGNATURE-----