Microsoft FixIt For XML Hole

Monday, June 18, 2012 @ 02:06 PM gHale

With attackers already exploiting the MSXML zero-day vulnerability, Microsoft issued a FixIt tool for the bug it is encouraging users to install as the software giant prepares a full patch for the flaw.

The vulnerability is a critical one, and, because it’s present in so many of the company’s products, it is a prime target for attackers. Microsoft warned users about the bug on Tuesday, the same day it issued its monthly batch of patches, but it did not have a fix ready at the time. An attacker can exploit the bug remotely, and attackers are already jumping on the opportunity.

Attack: IE Zero Day
RTFs Fall Victim to APTs
Microsoft Adjusts as Duqu Lingers
Microsoft Finds Apple Malware

“Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007,” Microsoft said in its advisory.

“The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.”

The FixIt tool Microsoft released makes a small change to the way the affected DLLs run. The vulnerability ended up discovered by researchers at Google, who alerted Microsoft to the problem. Google said it is going to start warning users when state-sponsored attackers are targeting their accounts. Observers wondered how the company was identifying which attacks were from state-sponsored groups, but one indication could be the use of exploits against bugs such as the MSXML flaw. Researchers said they have see attacks from China already targeting the vulnerability.

Leave a Reply

You must be logged in to post a comment.