Unpatched Microsoft XLM vulnerability now in BlackHole Exploit Kit
July 2, 2012
On June 12, 2012 (Patch Tuesday), Microsoft published Security Advisory 2719615 that revealed an exploitable vulnerability in their XML Core Services, which are used by various Windows programs. Less than three weeks have passed since that Advisory and cyber-criminals have already added this vulnerability to the latest update of the BlackHole Exploit Kit.
Here is an excerpt form the Microsoft Techcenter article defining this vulnerability:
Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
The Advisory goes on to note the following details:
- An attacker would have to trick users into visiting the BlackHole equipped website in order to run the exploit attack.
- This is usually done by social engineering tactics used to trick victims into clicking on a hostile link, in an email message, or Instant Messenger, or Facebook or Twitter message, that redirects them to the attack code website.
- The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.
- The MSXML vulnerability inherits the privileges of the logged-in user. Less privileged accounts would be less likely to be infected, without further user interaction (like agreeing to a UAC challenge and allowing unknown, unexpected code to run with Administrator Privileges! DOH!)
What the Microsoft Advisory doesn't tell you is that this vulnerability also exists in some out-of-support versions of Windows and MS Office programs and other applications by Microsoft or third party software companies.
Until Microsoft releases an actual patch for the vulnerable components, they have issued a temporary workaround in the form of a Fix It page. If you go to http://support.microsoft.com/kb/2719615 you will find two clickable buttons, labeled: "Fix It." The button on your left, under the word "Enable" (#50897), applies the workaround to the Windows Registry and patches some files. The button on the right, under "Disable" (#50898), reverses the changes.
Clicking the buttons either "runs" or downloads the files, which have a .msi extension. I recommend downloading and saving the files, then running them as needed. Sometimes Microsoft removes the Fit It pages or buttons after an official patch has been released. Having the Fix It and unFix It files on your hard drive or USB stitch makes them available to you whenever they are needed (e.g. after a repair reinstallation of Windows). The Fix It file type, .msi, is a Windows Installer file and requires Administrator credentials or privileges to run it.
I recommend applying the Fix It workaround until Microsoft releases an official patch. When they do, you should run the other Fix It (unFix It) to reverse the changes, before checking for Windows Updates (on Patch Tuesday, or out-of-cycle).
Why do I need to unfix a patch applied with a Fix It button?
This is not obvious, but some Microsoft official patches check if certain Registry key values and file versions exist before a patch is offered to you. If you apply a Fix It and later on check for the official patch for that vulnerability, the Windows Updater may think that the patch was already applied and skip it. This can be a critical problem if the official patch does more than the Fix It did, as is usually the case. This means that you may have locked down the primary exploit vector, but will not receive the secondary fixes that ship in the official patch.
You reverse the changes by running Fix It Tool #50898. I strongly advise you to download both files to your computers, naming the second one "UnFix It," then run them as needed, with Administrator credentials, Better yet, log off your "Standard" or "Limited" user account, then log into the or an Administrator account, run the Fix It or UnFix It, then reboot. This ensures that no affected programs are still open when you apply these changes and that the fixes run with full Administrator privileges, from start to finish.
Hopefully, Microsoft will release an official comprehensive fix for the XML vulnerability on this coming Patch Tuesday, which falls on July 10, 2012. Otherwise, they could release an out-of-cycle patch later in the month. If you have Windows Updates set to check and download automatically, the patch should be pushed to you when it is released. If you operate as a less privileged user, the patch will be applied the next time you turn off the computer (before it fully shuts down).
One more thought: just because the Microsoft Advisory says that this affects Internet Explorer users, don't assume that you are totally safe by using Firefox or Chrome. You could still trigger an exploit via a third party add-on or plug-in. Plus, since this affects MS Office, if you open an infected office document file, you can be exploited.
Action Recap:
Apply the XML Fix It tool, then reverse it and apply the official patch when it becomes available through Windows Update Services.
Epilogue:
The vulnerability having been added to the BlackHole Exploit Kit means that the criminals running the show can use one more method to try to infect the PCs of people drawn to their servers. You may have disabled or updated Java, Flash and Quicktime, only to be exploited via the MSXML vulnerability! If you aren't aware of what the BlackHole Exploit is or does, search my Blog for "BlackHole Exploit."
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.