European aeronautical supplier hit by Microsoft zero-day exploit

A European aeronautical supplier's website has been infected with zero-day exploit, say security researchers

A European aeronautical supplier's website has been infected with a state-sponsored zero-day exploit, according to security firm, Sophos.

Business IT administrators and other computer users should use caution in the light of the discovery of an unpatched security vulnerability in Microsoft software, Sophos warned.

Researchers at Sophos Labs confirmed the website of an unnamed European aeronautical parts supplier had been hacked and a malicious attack planted on the website.

The cyber attack exploits a zero-day Microsoft security vulnerability. 

The company involved in the attack has not been named due to the sensitivity of the situation, said Sophos.

Sophos was alerted to the security problem when a customer attempted to visit the affected website and received a warning message.

The message warned that a file on the website was infected by code which attempts to exploit a vulnerability in Microsoft XML Core Services, which could allow Remote Code Execution.

The vulnerability, known as CVE-2012-1889, has been linked to recent warnings from Google about state-sponsored attacks.

"One way that hackers break into large companies and organisations is to target their supply chain. It's reasonable to speculate that whoever was behind this attack actually had bigger fish to fry - the type of businesses that regularly visit the websites of aeronautical suppliers, such as defence companies," said Graham Cluley, senior technology consultant at Sophos. 

"The theory goes that rather than try to hack a company which may have robust security practices and security teams, the bad actor can instead attack a smaller supplier who are less well placed to notice the security breach."

Vulnerabilities and workarounds

All supported versions of Windows are vulnerable, said Sophos, from XP to Windows 7.

All supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable. 

While Microsoft is working on a security update, the software supplier recommends that Internet Explorer and Microsoft Office users immediately install a Fix it solution, downloadable with instructions from Microsoft Knowledge Base Article 2719615.

Microsoft also recommends businesses use the free Enhanced Mitigation Experience Toolkit (Emet), to block the potential attack vector in Internet Explorer (download here).

"Once the security update addressing this issue is prepared and thoroughly tested, we will release it as appropriate," said Yunsun Wee, director of Microsoft Trustworthy Computing.

Cluley said businesses should not underestimate the seriousness of this vulnerability.  

"It's being actively exploited in the wild, and there is currently no patch available for it," Cluley said.

Microsoft has not yet indicated whether or not they plan to release an emergency or out-of-band security update ahead of the July Patch Tuesday monthly security update.

Deciding on whether to release an update out-of-band involves balancing threat with risk, said Mike Reavey, senior director, Microsoft Security Response Center.

"Microsoft has resorted to out-of-band security updates only 16 times to date; it is not something we do lightly as it is costly to both Microsoft and our customers," Reavey said.

Out-of-band releases, said Reavey, typically occur only where the threat is high and the available update is of good quality and the workarounds are poor.

Read more on Hackers and cybercrime prevention