Microsoft repairs dangerous XML Core Services zero-day flaw

Microsoft is patching a dangerous zero-day vulnerability in its XML Core Services being actively targeted by cybercriminals over the last month.

A successful attack gives a cybercriminal the ability to take complete control of the victim’s system and create new accounts with full user rights.

Microsoft

The software giant issued nine security bulletins, three critical, addressing  16 vulnerabilities across its product line as part of its July 2012 Patch Tuesday.

Microsoft acknowledged that it detected malicious code targeting the XML Core Services vulnerability. Cybercriminals set up malicious sites to lure their victims or conduct drive-by attacks that target Internet Explorer users. A successful attack gives a cybercriminal the ability to upload more malware onto a victim’s machine, take complete control of the victim’s system, and create new accounts with full user rights, Microsoft said.

An exploit for the vulnerability has made it into the Metasploit toolkit and into the notorious Black Hole automated attack toolkit, wrote Wolfgang Kandek, CTO of vulnerability management vendor Qualys Inc., in a blog post analyzing the July 2012 Microsoft bulletins. 

According to MS12-043, the memory corruption vulnerability is rated “critical” for users of XML Core Services 3.0, 4.0 and 6.0 on Windows XP, Windows Vista and Windows 7, and Core Services 5.0 on Microsoft Office 2003, 2007, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack, Microsoft Expression Web, Microsoft Office SharePoint Server 2007 and Microsoft Groove Server 2007.

Microsoft also issued a critical update to the latest version of its Internet Explorer browser, fixing a pair of flaws that could be exploited remotely by attackers to gain access to a victim’s system. Microsoft said it is easy for attackers to reverse engineer the patch and develop an exploit, giving the bulletin an exploitability index rating of “1.” The flaws are rated “critical” for Internet Explorer 9 on Windows clients and “moderate” for Internet Explorer 9 on Windows servers. MS12-044 repairs a cached object and an attribute remove remote code execution vulnerability in IE9, fixing the way the browser accesses an object that has been deleted.

A critical Windows vulnerability in Microsoft Data Access Components could enable attackers to gain complete control of a victim’s machine. The flaw was addressed in MS12-045 and affects all versions of Windows.  It is rated “moderate” for users of Microsoft’s server software. An attacker could target the flaw by luring a victim to browse to a malicious website, Microsoft said.

Weak encryption vulnerability fixed
The software maker issued an “important” update to its TLS cryptographic protocol. MS12-049 repairs an information disclosure vulnerability impacting HTTPS traffic. Microsoft said the browser is the primary attack vector. The encryption weakness makes it slightly less difficult for an attacker to crack the encryption algorithm, enabling cybercriminals to decrypt encrypted TLS traffic.

Microsoft also issued four other bulletins rated “important,” addressing flaws in Visual Basic for Applications, Windows Kernel Mode Drivers, Windows Shell and Microsoft Office for Mac. 

Microsoft extending automated digital certificate feature
Microsoft is extending its automated detection of fraudulent certificates. Digital certificates enable a system to validate the authenticity of the software. The update is in response to the Flame malware toolkit, which used fraudulent Microsoft certificates to spoof the Windows Update mechanism on Windows systems.

According to the security advisory issued today, the feature works on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 systems. It will be automatically applied to systems this month, enabling dynamic updates, allowing Windows clients to be updated with untrusted certificates once per day without requiring user interaction.

The update will also address software digital certificates that uses an outdated, weaker encryption algorithm. “On systems where this hardening package is installed, those certificates using the RSA algorithm with a key length less than 1024 bits will be treated as invalid, even if they are otherwise valid and signed by a trusted certificate authority,” Microsoft said in its advisory.