Danger! Unpatched Microsoft security vulnerability being actively exploited

Filed Under: Featured, Malware, SophosLabs, Vulnerability

Traffic sign. Image from ShutterstockAn unpatched critical security vulnerability in Microsoft's software is being actively exploited by cybercriminals.

The exploit allows what's known as a drive-by install: you can become infected simply by visiting a website with Internet Explorer.

Alongside last week's regular Patch Tuesday announcement (including a remote code execution vulnerability that is being exploited by attackers in the wild), Microsoft also issued an out-of-band security advisory about an as-yet unpatched security hole (known as CVE-2012-1889).

Microsoft security advisory

Meanwhile, Google also warned of an actively exploited vulnerability that some have linked with their recent warnings about "state-sponsored attacks".

Sophos, along with other security vendors working with Microsoft under the MAPP consortium, updated its security products to detect the CVE-2012-1889 zero-day vulnerability. Sophos products detect the vulnerability in two parts as Exp/20121889-A and Sus/20121889-A.

Over the weekend, SophosLabs systems reported a Sus/20121889-A detection on the website of a European medical company.

Upon further investigation of the website, we were able to confirm that it was indeed exploiting the CVE-2012-1889 vulnerability.

Infected website

SophosLabs is still investigating this threat but here is what we can say:

The following files had been implanted on the hacked website:


The file deploy.html contains the vulnerability and loads deployJava.js (a JavaScript library that determines information about the visiting browser software). The file deploy.html also tries to run the movie.swf with the intriguing parameters "?apple=<long hex string>".

Finally, deploy.html loads an iframe to faq.htm.

SophosLabs has published detection of Troj/20121889-B (protecting against the deploy.html and faq.htm files) and Troj/SWFExp-AV (protecting against the movie.swf file).

We are continuing to try work with both the user who inadvertently visited the website and the hacked website's owner, and will update you when we can release more information.

Currently, this vulnerability has no patch available but Microsoft has released a Fix it solution. We strongly suggest that you consider this workaround - for now.

Although security software can protect against this vulnerability, let's hope that Microsoft can release a proper patch sooner rather than later.

Traffic sign image courtesy of Shutterstock.

, , , , , ,

You might like

2 Responses to Danger! Unpatched Microsoft security vulnerability being actively exploited

  1. LOL · 1164 days ago

    if it's out-of-bounds I won't touch it. out-of-band maybe...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.