September 29, 2016

Microsoft fixes XML Core Services vulnerability as part of July’s Patch Tuesday

(LiveHacking.Com) – As expected, Microsoft has fixed the XML Core Services vulnerability which was being exploited in the wild using drive-by attacks.  The vulnerability allowed remote code execution if a user viewed a specially crafted webpage using Internet Explorer. Last month Microsoft issued a security advisory about the vulnerability along with a FixIt workaround, the exploit was also converted into a Metasploit module.

Microsoft Security Bulletin MS12-043 now fixes the problem. The Critical level update applies to Microsoft XML Core Services 3.0, 4.0, and 6.0 on all supported editions of Windows XP, Windows Vista, and Windows 7. It also applies to all supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 (where it is rated as Moderate). The vulnerability also affects Microsoft XML Core Services 5.0 that is used in Microsoft Office 2003, Microsoft Office 2007, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack, Microsoft Expression Web, Microsoft Office SharePoint Server 2007, and Microsoft Groove Server 2007.

July’s bulletins also covered two other Critical level vulnerabilities. The XML Core Services, isn’t the only drive-by vulnerability fixed by the Redmond giant. Microsoft Security Bulletin MS12-045 addresses the way that Microsoft Data Access Components handles objects in memory. Before the fix, a vulnerability existed that could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

Microsoft also released a cumulative security update for Internet Explorer 9. The update fixes two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer 9. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.

Among the other updates, one is for the Mac. The update fixes a vulnerability in Microsoft Office for Mac 2011 that could allow elevation of privilege if a malicious executable is placed on an affected system by an attacker, and then another user logs on later and runs the malicious executable. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The fix corrects the permission settings on the Microsoft Office 2011 folder and other affected folders.

Microsoft to fix three critical remote code execution vulnerabilities on Tuesday

(LiveHacking.Com) – Microsoft has released its advance notification for what issues the company expects to fix during this month’s Patch Tuesday. The notice mentions nine bulletins of which three are marked as Critical and are connected with remote code execution vulnerabilities. The other six bulletins are marked as Important and concern remote code execution, information disclosure and elevation of privileges. The nine bulletins address a total of 16 vulnerabilities in a variety of Microsoft products including Microsoft Windows, Microsoft Office, Internet Explorer, and Visual Basic.

It is anticipated that Microsoft will patch the vulnerability in its XML Core Services which is being actively exploited on the Internet. Last month Microsoft issued a security advisory about the vulnerability that can allow remote code execution if a user views a specially crafted webpage using Internet Explorer and at the time it issued a FixIt workaround that basically disables the vulnerable component in IE. The vulnerability, which also affects  Office 2003 and Office 2007 , exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. A working exploit for the bug has also been converted into a Metasploit module.

The second of the nine bulletins is specifically for Internet Explorer 9. This is somewhat unusual as often errors found in IE are also applicable to IE 8 and sometimes IE 7. But this bulletin is only for IE 9. What is also interesting is that Microsoft updated all versions of Internet Explorer during last month’s patch Tuesday. IE 9, being the latest version, is meant to be the securest version.

Bulletins 4 and 8 address Microsoft Office flaws and affect Office 2003 Service Pack 3, Office 2007 Service Pack 2, Microsoft Office 2010 and Microsoft Office 2010 Service Pack 1. Both are marked as Important and one addresses a remote code vulnerability while the other is to do with elevation of privileges.

Finally it is worth noting that bulletin 9 addresses an Important level vulnerability in Microsoft Office for Mac 2011. This bulletin does not affect the Windows versions.

Microsoft are expected to release all nine bulletins on Tuesday at approximately 10 a.m. PDT.

Zero day vulnerability in Microsoft XML Core Services turned into Metasploit module

(LiveHacking.Com) – Details on how to exploit a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 have been posted on to the Internet and subsequently converted into a Metasploit module. Last week Microsoft issued a security advisory about a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that can allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

The vulnerability, which also affects  Office 2003 and Office 2007 , exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. Microsoft does not yet have a  patch for this problem, but there is a FixIt workaround that basically disables the vulnerable component in IE. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.

Windows XP systems can be exploited reliably without any third-party component, however Windows 7 and Windows Vista PCs need to be running an old Java virtual machine that came with a non-ASLR version of the msvcr71.dll. Systems without Java or where a different version of the msvcr71 DLL exists can’t be exploited, but IE will still crash.

McAfee says it found out about the vulnerability nearly three weeks ago. “The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections,” wrote Yichong Lin. “On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.

There is also a demonstration of how to exploit the vulnerability using Metasploit on YouTube: MS12-037 Internet Explorer Same ID CVE-2012-1875 Vulnerability Metasploit Demo