Windows: Microsoft XML vulnerability under active exploitation

SUMMARY: Windows: Microsoft XML vulnerability under active exploitation
POSTED ON: 06/14/2012
REPORTER: Jocelyn E Kasamoto (jocelyn)
START TIME: Jun 14 05:47 PM
END TIME: Jul 13 05:47 PM
DESCRIPTION: Microsoft and Google released security advisories reporting that hackers are actively exploiting a critical vulnerability in Microsoft XML Core Services which could allow remote code execution. The vulnerability affects all supported versions of Windows, Internet Explorer, Microsoft Office 2003 and Office 2007. There is currently no patch.

What does this mean?

If you visit a malicious website designed to exploit the vulnerability, your Windows computer may get infected/compromised and the attacker could gain control of your system.

Microsoft has developed a temporary Fix It solution (which ITS has not tested). See

What should I do?

Be cautious of following links in email from unsolicited users. Avoid using Internet Explorer, especially for general web browsing. Use an alternate web browser such as Firefox or Chrome, until Microsoft releases a patch.

For more information

Attacks Actively Exploit Code-Execution Bug in Windows

From Google's Security Blog (6/12/2012):

Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability—which is leveraged via an uninitialized variable—being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30th. Over the past two weeks, Microsoft has been responsive to the issue and has been working with us. These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable.

As part of the advisory, Microsoft suggests installing a Fix it solution that will prevent the exploitation of this vulnerability. We strongly recommend Internet Explorer and Microsoft Office users immediately install the Fix it while Microsoft develops and publishes a final fix as part of a future advisory.

Excerpt from Microsoft Security Advisory (2719615)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Published: Tuesday, June 12, 2012

Version: 1.0
General Information
Executive Summary

Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.