Danger! Unpatched Microsoft security vulnerability being actively exploited

Danger! Unpatched Microsoft security vulnerability being actively exploited

Traffic sign. Image from ShutterstockAn unpatched critical security vulnerability in Microsoft’s software is being actively exploited by cybercriminals.

The exploit allows what’s known as a drive-by install: you can become infected simply by visiting a website with Internet Explorer.

Alongside last week’s regular Patch Tuesday announcement (including a remote code execution vulnerability that is being exploited by attackers in the wild), Microsoft also issued an out-of-band security advisory about an as-yet unpatched security hole (known as CVE-2012-1889).

Microsoft security advisory

Meanwhile, Google also warned of an actively exploited vulnerability that some have linked with their recent warnings about “state-sponsored attacks”.

Sophos, along with other security vendors working with Microsoft under the MAPP consortium, updated its security products to detect the CVE-2012-1889 zero-day vulnerability. Sophos products detect the vulnerability in two parts as Exp/20121889-A and Sus/20121889-A.

Over the weekend, SophosLabs systems reported a Sus/20121889-A detection on the website of a European medical company.

Upon further investigation of the website, we were able to confirm that it was indeed exploiting the CVE-2012-1889 vulnerability.

Infected website

SophosLabs is still investigating this threat but here is what we can say:

The following files had been implanted on the hacked website:


The file deploy.html contains the vulnerability and loads deployJava.js (a JavaScript library that determines information about the visiting browser software). The file deploy.html also tries to run the movie.swf with the intriguing parameters "?apple=<long hex string>".

Finally, deploy.html loads an iframe to faq.htm.

SophosLabs has published detection of Troj/20121889-B (protecting against the deploy.html and faq.htm files) and Troj/SWFExp-AV (protecting against the movie.swf file).

We are continuing to try work with both the user who inadvertently visited the website and the hacked website’s owner, and will update you when we can release more information.

Currently, this vulnerability has no patch available but Microsoft has released a Fix it solution. We strongly suggest that you consider this workaround – for now.

Although security software can protect against this vulnerability, let’s hope that Microsoft can release a proper patch sooner rather than later.

Traffic sign image courtesy of Shutterstock.