Alert

Microsoft XML Core Services Attack Activity

Last Revised
Alert Code
TA12-174A

Systems Affected

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft Office 2007 are affected due to their use of XML Core Services.

Overview

Microsoft Security Advisory (2719615) warns of active attacks using a vulnerability in Microsoft XML Core Services. Microsoft Internet Explorer and Microsoft Office can be used as attack vectors.

Microsoft Security Advisory (2719615), a Google Online Security blog post, Sophos, and other sources report active attacks exploiting a vulnerability in Microsoft XML Core Services (CVE-2012-1889). Attack scenarios involve exploits served by compromised web sites and delivered in Office documents. Reliable public exploit code is available, and attacks may become more widespread.

Impact

By convincing a victim to view a specially crafted web page or Office document, an attacker could execute arbitrary code and take any action as the victim.

Solution

As of June 22, 2012, a comprehensive update is not available. Consider the following workarounds.

Apply Fix it

Apply the Fix it solution described in Microsoft Knowledge Base Article 2719615. This solution uses the Application Compatibility Database feature to make runtime modifications to XML Core Services to patch the vulnerability.

Disable scripting

Configure Internet Explorer to disable Active Scripting in the Internet  and Local intranet zones as described in Microsoft Security Advisory (2719615). See also Securing Your Web Browser.

Use the Enhanced Mitigation Experience Toolkit (EMET)

EMET is a utility to configure Windows runtime mitigation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP). These features, particularly the combination of system-wide DEP and ASLR, make it more difficult for an attacker to successfully exploit a vulnerability. Configure EMET for Internet Explorer as described in Microsoft Security Advisory (2719615).

References

Microsoft Security Advisory (2719615)
Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution
NVD Vulnerability Summary for CVE-2012-1889
Microsoft XML vulnerability under active exploitation
European aeronautical supplier's website infected with
Securing Your Web Browser
Application Compatibility Database

Revisions

June 22, 2012: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.