An unpatched critical security vulnerability in Microsoft’s software is being actively exploited by cybercriminals.
The exploit allows what’s known as a drive-by install: you can become infected simply by visiting a website with Internet Explorer.
Alongside last week’s regular Patch Tuesday announcement (including a remote code execution vulnerability that is being exploited by attackers in the wild), Microsoft also issued an out-of-band security advisory about an as-yet unpatched security hole (known as CVE-2012-1889).
Sophos, along with other security vendors working with Microsoft under the MAPP consortium, updated its security products to detect the CVE-2012-1889 zero-day vulnerability. Sophos products detect the vulnerability in two parts as Exp/20121889-A and Sus/20121889-A.
Over the weekend, SophosLabs systems reported a Sus/20121889-A detection on the website of a European medical company.
Upon further investigation of the website, we were able to confirm that it was indeed exploiting the CVE-2012-1889 vulnerability.
SophosLabs is still investigating this threat but here is what we can say:
The following files had been implanted on the hacked website:
Finally, deploy.html loads an iframe to faq.htm.
We are continuing to try work with both the user who inadvertently visited the website and the hacked website’s owner, and will update you when we can release more information.
Currently, this vulnerability has no patch available but Microsoft has released a Fix it solution. We strongly suggest that you consider this workaround – for now.
Although security software can protect against this vulnerability, let’s hope that Microsoft can release a proper patch sooner rather than later.
Traffic sign image courtesy of Shutterstock.