Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Last month, Microsoft released a fix tool in order to address a vulnerability in Microsoft XML Core Services. The said vulnerability, according to the Microsoft Security Advisory, could allow remote code execution if a user views a specifically crafted webpage using Internet Explorer. It has been given the identifier CVE-2012-1889.

    Since the vulnerability exists in Microsoft XML Core Services by way of IE, which is installed on most of PCs in the world, we assume that this attack code would give users the extremely big impact once it is exploited by malicious users. Another factor that would contribute to is impact is the fact that its attack code was made public.

    In line with this, we’d like to share the results of our analysis of a malware which exploits CVE-2012-1889. Trend Micro products detect this particular malware as HTML_EXPLOYT.AE.

    HTML_EXPLOYT.AE Overview

    HTML_EXPLOYT.AE may arrive in a system through a variety of means, such as email or a malicious website. It attempts to exploit CVE-2012-1889 via Internet Explorer.

    It should be noted that this specific exploit does not have a function to bypass DEP (Data Execution Prevention). If HTML_EXPLOYT.AE runs on an Internet Explorer with DEP enabled, it causes IE to crash.

    However, considering that the attack code for this exploit has been released in the wild, it is possible that we will see a sample that can bypass DEP and ASLR.

    HTML_EXPLOYT.AE has three main features, which we will discuss in a 3-part blog series. For part 1, we will discuss the usage of Microsoft XML Core Services.

    HTML_EXPLOYT.AE Feature 1: Usage of Microsoft XML Core Services

    HTML_EXPLOYT.AE uses object element by using Classid to exploit Microsoft XML Core Services.

    Specifically, HTML_EXPLOYT.AE exploits CVE-2012-1889 by referring to uninitialized object.

    In order to confirm the root cause of CVE-2012-1889 vulnerability, it is better to check how this code has been used in normally. So here we have the code to exploit CVE-2012-1889, with the heap spray codes deleted:

    Now let’s check the vulnerable code above when executed normally:

    The upper [eax] points to an object by a virtual function of “msxml3!Document::`vftable”” and[ ecx+18h] point to the “msxml3!Document::weakRelease” function. Its vftable is the following:

    From this we can see that the exploit HTML_EXPLOYT.AE takes advantage of the Microsoft XML Core Service (mxml3.dll) vulnerability. Internet Explorer Microsoft XML Core Service (mxml3.dll) uses this module in order to process HTML/XML codes making this program and other applications that uses this module, vulnerable to this attack.

    Based on this, we can conclude that it is possible for attackers to use other vectors in order to exploit the Microsoft XML Core Service vulnerability.

    Trend Micro protects users from this threat via Smart Protection Network™, which detects and deletes HTML_EXPLOYT.AE. Furthermore, Deep Security prevents attacks exploiting CVE-201-1889 via IDF rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

    In the second installation of our 3-part series about this exploit, we will share our findings regarding the second feature of HTML_EXPLOYT.AE: Heap Spray.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice