Apart from the regular monthly patch release Microsoft issued yesterday, which included a patch for relatively large number of vulnerabilities in Internet Explorer (MS12-037), Microsoft also reported another IE vulnerability that has no patch available yet. MS Security Advisory (2719615) specifically identifies the Microsoft XML (MSXML) Core Services as the vulnerable part. MSXML provides a set of W3C compliant XML APIs which allows users to use JScript, VBScript and Microsoft development tools to develop XML 1.0 standard applications.
There exists a remote code execution vulnerability in Microsoft XML Core Services due to accessing a COM object in an uninitialized memory. When successfully exploited, an attacker could execute arbitrary code in the context of the logged-on user.
As mentioned above, MSXML Core Services also provides a set of APIs to access certain COM objects to simplify Document Object Model tasks such as managing namespaces. An attacker can craft these websites to host a malicious webpage invoking affected MSXML APIs, which in turn accesses a COM object in memory that has not been initialized. The vulnerability is exploited when a user opens these crafted webpages using IE. Users might stumble upon these pages as clickable links in a specially crafted email or instant message.
We are investigating reports of attacks where these two vulnerabilities are supposedly being used. This entry will be updated for developments on the investigation.
Update as of 2:38 PM PST
Trend Micro detects and removes the malware JS_DLOADER.HVN, which is found to exploit the vulnerability in MS Security Advisory (2719615). More information on the malware will be posted in succeeding updates.
Update as of June 14, 2012, 7:51 AM PST
The malware JS_LOADER.HVN is found to exploit the vulnerability in CVE-2012-1875, which is included and patched in MS12-037 bulletin. This malicious script downloads other malware on affected systems. Trend Micro users are protected from infections of this malware.
Update as of June 15, 2012, 1:37 AM PST
- The initially given detection name (JS_DLOADER.HVN) has been replaced with JS_LOADER.HVN.
- JS_LOADER.HVN exploits CVE-2012-1875 and not CVE-2012-1889, as stated in the previous update.