MA-320.062012 : MyCERT Alert - Critical Vulnerability in Microsoft XML Core Services

Date first published: 2012-06-20

1.0 Introduction

A critical vulnerability has been identified in the Microsoft XML Core Services. The vulnerability, if successfully exploited will cause the application to crash and could potentially allow an attacker to take control of the affected system.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. [1]

Essentially, an attacker can trick users into clicking on a URL that will direct the users to a specially crafted web page containing the exploit.

MyCERT is aware that a '0-day' exploit is available on the internet at the time of the publication of this advisory.

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute codes remotely and gain the same privilege as the user. Unsuccessful attacks may cause denial-of-service (DoS) outcomes.This vulnerability could be exploited to install malware on the user's computer.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Microsoft XML Core Services 6.0
  
• Microsoft XML Core Services 5.0
• Microsoft XML Core Services 4.0
  
• Microsoft XML Core Services 3.0
  

These core services are being used by several applications and made them vulnerable as well. The applications are:

• Windows XP Service Pack 3
  
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
  
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems           
• Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2   
• Windows Server 2008 for x64-based Systems Service Pack 2        
• Windows Server 2008 for Itanium-based Systems Service Pack 2 
• Windows 7 for 32-bit Systems         
• Windows 7 for 32-bit Systems Service Pack 1        
• Windows 7 for x64-based Systems   
• Windows 7 for x64-based Systems Service Pack 1  
• Windows Server 2008 R2 for x64-based Systems   
• Windows Server 2008 R2 for x64-based Systems Service Pack 1  
• Windows Server 2008 R2 for Itanium-based Systems         
• Windows Server 2008 R2 for Itanium-based Systems Service Pack 1        
• Windows Server 2008 for 32-bit Systems Service Pack 2   
• Windows Server 2008 for x64-based Systems Service Pack 2        
• Windows Server 2008 R2 for x64-based Systems   
• Windows Server 2008 R2 for x64-based Systems Service Pack 1  
• Microsoft Office 2003 Service Pack 3         
• Microsoft Office 2007 Service Pack 2         
• Microsoft Office 2007 Service Pack 3

4.0 Recommendation

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround if they need to use Microsoft Internet Explorer:

• 4.1 Apply an automated Microsoft Fix it solution that blocks the attack vector for the vulnerability addressed in this advisory. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems. The Microsoft Fix It can be obtained from the following URL:
  http://support.microsoft.com/kb/2719615
  
  
• 4.2 Windows users are advised to add the EMET support for Internet Explorer (iexplorer.exe). Step by step on how to add the EMET support for specific application can be found in our Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET) tutorial at the following URL:
  http://www.mycert.org.my/en/resources/os/main/main/detail/792/index.html
  
  
• Configure your EMET to protect either
  • C:\program files\Internet Explorer\iexplore.exe
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
    
    
• 4.3  Disable Active Script support in the browser. Active Script can be disabled by referring to the following steps:

On the Tools menu, click Internet Options

Click the Security tab, choose Internet zone and click on Custom Level

Disable the Active Scripting and click OK

• 4.4 Another option for the recommendation in 4.3 is to configure the Enhanced Security Configuration for Internet Explorer and set the Internet Security Zone to "High"

• 4.5 Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender.
  
  
• 4.6 Browse the Internet through access of a lower privilege user to minimize the impact of the malicious file.
  
  
• 4.7 Consider using alternative web browsers to browse the Internet. Please make sure you use the latest version and stay up-to-date as well.
  

MyCERT would like to advise the users of Microsoft product to be vigilant of the latest security announcements by Microsoft and ensure that they automatically update the operating systems. The article on how to enable the auto update feature in Microsoft is available at the following URL:
http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. In case the public receives any suspicious URL, and requires our further analysis, please reach us through the following channels:

E-mail : cyber999@cybersecurity.my or mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

i. http://technet.microsoft.com/en-us/security/advisory/2719615
ii.http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx
iii.http://support.microsoft.com/kb/2719615