Windows Updates for June, 2012, included some critical patches, and one that ISC rated PATCH NOW! to fix a soon-to-be-in-the-wild flaw in Microsoft Internet Explorer and Microsoft Office. If you have not patched any of your systems where you use IE or Office, you need to do so ASAP. In addition, Microsoft issued a separate advisory about a "browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component"
Not quite one week later ZDnet published an article stating that the IE/Office vulnerability was now available to hackers. Many other security sites are reporting on these issues. Lots of useful links and technical info are below.
If you use IE for your Internet surfing, you should run Windows Update AND run the MS FixIt tool workaround ASAP.
(EDIT: Add final link to MS Blog entry about the FixIt.)
- ISC Diary | Microsoft June 2012 Black Tuesday Update - Overview
- Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws | ZDNet
By Ryan Naraine | June 12, 2012, 2:13pm PDT
Summary: Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.
Microsoft today warned that cyber-criminals could soon aim exploits at critical security flaws in Internet Explorer browser and Windows to hijack and take complete control of vulnerable machines.
The warning comes as part of this month’s Patch Tuesday where Microsoft released 7 bulletins with fixes for at least 26 documented vulnerabilities affecting the Windows ecosystem.
The company is urging users to pay special attention to MS12-037 and MS12-036, which provides cover for “remote code execution” vulnerabilities that could be used in worm attacks and drive-by downloads without any user interaction.
- Microsoft Patches 26 Flaws, Warns of Zero-Day Attack — Krebs on Security
Microsoft today released updates to plug at least 26 separate security holes in its Windows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.
In a separate advisory published today, Microsoft warned that it is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0., 4.0, 5.0. and 6.0. This is a browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.
- Google Online Security Blog: Microsoft XML vulnerability under active exploitation
Tuesday, June 12, 2012 12:53 PM
Posted by Andrew Lyons, Security Engineer
Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability—which is leveraged via an uninitialized variable—being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30th. Over the past two weeks, Microsoft has been responsive to the issue and has been working with us. These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable.
As part of the advisory, Microsoft suggests installing a Fix it solution that will prevent the exploitation of this vulnerability. We strongly recommend Internet Explorer and Microsoft Office users immediately install the Fix it while Microsoft develops and publishes a final fix as part of a future advisory.
- Attack code published for 'critical' IE flaw; Patch your browser now | ZDNet
Summary: Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.
- ISC Diary | Microsoft Security Advisory 2719615 - MSXML - CVE-2012-1889
Several readers mentioned that Microsoft today issued a Security advisory regarding Microsoft XML Core Services (MSXML). This is in response to active exploitation.
The issues affects Office 2003 and 2007 on all versions of windows. All a user has to do to fall victim is visit the wrong website using IE.
Microsoft has issued a fixit for it in the form of an msi file (see the KB 2719615 link below).
Alternative strategies would be to use browsers that do not support ActiveX, or disable the support in IE.
- Active Zero-Day Exploit Targets Internet Explorer Flaw | Blog Central
Tuesday, June 12, 2012 at 1:02pm by Yichong Lin
- MSXML: Fix it before fixing it - Security Research & Defense - Site Home - TechNet Blogs
13 Jun 2012 6:30 PM
Yesterday, Microsoft has released Security Advisory target="_blank"2719615, associated to a vulnerability in Microsoft XML Core Services. We want to share more details about the issue and explain the additional workarounds available to help you protect your computers.