Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2012
    S M T W T F S
    « May   Jul »
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for June 13th, 2012




    Apart from the regular monthly patch release Microsoft issued yesterday, which included a patch for relatively large number of vulnerabilities in Internet Explorer (MS12-037), Microsoft also reported another IE vulnerability that has no patch available yet. MS Security Advisory (2719615) specifically identifies the Microsoft XML (MSXML) Core Services as the vulnerable part. MSXML provides a set of W3C compliant XML APIs which allows users to use JScript, VBScript and Microsoft development tools to develop XML 1.0 standard applications.

    There exists a remote code execution vulnerability in Microsoft XML Core Services due to accessing a COM object in an uninitialized memory. When successfully exploited, an attacker could execute arbitrary code in the context of the logged-on user.

    As mentioned above, MSXML Core Services also provides a set of APIs to access certain COM objects to simplify Document Object Model tasks such as managing namespaces. An attacker can craft these websites to host a malicious webpage invoking affected MSXML APIs, which in turn accesses a COM object in memory that has not been initialized. The vulnerability is exploited when a user opens these crafted webpages using IE. Users might stumble upon these pages as clickable links in a specially crafted email or instant message.

    Trend Micro Deep Security customers should apply the rule 1005061 – Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889) to block the access to websites serving malicious webpages invoking affected MSXML COM objects that access vulnerable JavaScript methods. In addition, protection for vulnerabilities in MS12-037 are found in this Threat Encyclopedia page. Both rules are also available for OfficeScan with the Intrusion Defense Firewall plugin.

    We are investigating reports of attacks where these two vulnerabilities are supposedly being used. This entry will be updated for developments on the investigation.

    Update as of 2:38 PM PST

    Trend Micro detects and removes the malware JS_DLOADER.HVN, which is found to exploit the vulnerability in MS Security Advisory (2719615). More information on the malware will be posted in succeeding updates.

    Update as of June 14, 2012, 7:51 AM PST

    The malware JS_LOADER.HVN is found to exploit the vulnerability in CVE-2012-1875, which is included and patched in MS12-037 bulletin. This malicious script downloads other malware on affected systems. Trend Micro users are protected from infections of this malware.

    Update as of June 15, 2012, 1:37 AM PST

    • The initially given detection name (JS_DLOADER.HVN) has been replaced with JS_LOADER.HVN.
    • JS_LOADER.HVN exploits CVE-2012-1875 and not CVE-2012-1889, as stated in the previous update.
     
    Posted in Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice