-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


    National Cyber Awareness System

              Technical Cyber Security Alert TA12-174A


Microsoft XML Core Services Attack Activity

   Original release date: June 22, 2012
   Last revised: --
   Source: US-CERT


Systems Affected

     Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected.
     Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft
     Office 2007 are affected due to their use of XML Core Services.


Overview

   Microsoft Security Advisory (2719615) warns of active attacks using
   a vulnerability in Microsoft XML Core Services. Microsoft Internet
   Explorer and Microsoft Office can be used as attack vectors.


Description

   Microsoft Security Advisory (2719615), a Google Online Security
   blog post, Sophos, and other sources report active attacks
   exploiting a vulnerability in Microsoft XML Core Services
   (CVE-2012-1889). Attack scenarios involve exploits served by
   compromised web sites and delivered in Office documents. Reliable
   public exploit code is available, and attacks may become more
   widespread.


Impact

   By convincing a victim to view a specially crafted web page or
   Office document, an attacker could execute arbitrary code and take
   any action as the victim.


Solution

   As of June 22, 2012, a comprehensive update is not available.
   Consider the following workarounds.

   Apply Fix it

      Apply the Fix it solution described in Microsoft Knowledge Base
      Article 2719615. This solution uses the Application
      Compatibility Database feature to make runtime modifications to
      XML Core Services to patch the vulnerability.

   Disable scripting

      Configure Internet Explorer to disable Active Scripting in the
      Internet  and Local intranet zones as described in Microsoft
      Security Advisory (2719615). See also Securing Your Web Browser.

   Use the Enhanced Mitigation Experience Toolkit (EMET)

      EMET is a utility to configure Windows runtime mitigation
      features such as Data Execution Prevention (DEP), Address Space
      Layout Randomization (ASLR), and Structured Exception Handler
      Overwrite Protection (SEHOP). These features, particularly the
      combination of system-wide DEP and ASLR, make it more difficult
      for an attacker to successfully exploit a vulnerability.
      Configure EMET for Internet Explorer as described in Microsoft
      Security Advisory (2719615).


References

 * Microsoft Security Advisory (2719615) -
   <https://technet.microsoft.com/en-us/security/advisory/2719615>

 * Microsoft Security Advisory: Vulnerability in Microsoft XML Core
   Services could allow remote code execution -
   <http://support.microsoft.com/kb/2719615>

 * NVD Vulnerability Summary for CVE-2012-1889 -
   <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889>

 * Microsoft XML vulnerability under active exploitation -
   <http://googleonlinesecurity.blogspot.com/2012/06/microsoft-xml-vulnerability-under.html>

 * European aeronautical supplier's website infected with "state-sponsored" zero-day exploit -
   <http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/>

 * Securing Your Web Browser -
   <https://www.us-cert.gov/reading_room/securing_browser/>

 * Application Compatibility Database -
   <http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx>


Revision History

  June 22, 2012: Initial release

 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA12-174A Feedback VU#783993" in
   the subject.
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA12-174A Feedback VU#783993" in
   the subject.
 ____________________________________________________________________

   Produced by US-CERT, a government organization.
 ____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA12-174A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBT+TZH3dnhE8Qi3ZhAQIjggf+O+mOYAEj9Lhq05KCWunmNoLREdH8ura3
DVnvdz+PBgQwxJXCl2fxCvJ56nPnxgKoDvtKWHDdFePfmS1+Tmp9/DnXoEY8tFCd
SlqYoL+jUuxJGQk4oxbTP/U2Gcu1GSOgpc4sj5WGiuHFQa1iDEJ+rSG2myUqyIEu
B5HsYiqOGHXyynXWxdr5W9/37owlfXWJeazs2aviqGIKq/5uz78NHy/RHMnphOhI
qCZzRnHHkyHeS0JojqCnJjNeDoLMaMUzdEzRsZt4bY0YgonRJnRSaEgPlKGvvfSo
nIeTdyDIZQVsN6H0yjSaN+whlS30BFiasDtLw50omazYdkSv2jJHCg==
=7lRz
-----END PGP SIGNATURE-----