Patch Tuesday misses zero-day vulnerability
Microsoft's Patch Tuesday has neutered a number of critical vulnerabilities, but Google has pointed out that there is still one hole currently being exploited in the wild.
Internet Explorer has been addressed with a number of patches in Security Bulletin MS12-037. The bulletin, which was released as part of Microsoft's monthly patching cycle, details 13 vulnerabilities that affect Internet Explorer versions 6 through 9. The worst thing that attackers can do with these vulnerabilities is to remotely execute code, and potentially take control of the victim's computer.
At the time of the bulletin, Microsoft observed one of the vulnerabilities being exploited in the wild, but noted that there was no proof-of-concept code published.
Yet, in a separate advisory released on the same day, Microsoft advised that there is another unpatched vulnerability in Microsoft XML Core services that enables remote code execution if users view specially crafted pages in Internet Explorer.
"An attacker would have to convince users to visit the [specially crafted] website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website," the advisory said.
According to Microsoft, the vulnerability affects all supported releases of Windows, and some versions of Microsoft Office.
Microsoft's advisory indicates that the company is "aware of active attacks", and Google's security team, which has been working with Microsoft on the issue, claims that hackers have been making use of the vulnerability for the past two weeks.
On Google's security blog, security engineer Andrew Lyons wrote, "We discovered this vulnerability — which is leveraged via an uninitialised variable — being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30."
"These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents."
There is no official patch available via Windows Update, and, until yesterday, no mitigating patch. By definition, this makes the bug a zero-day vulnerability. However, Microsoft has released a stop-gap "FixIt" tool that addresses the vulnerability. Users will need to deploy it manually in order to protect themselves.
Other bulletins from Microsoft's Patch Tuesday include a new critical vulnerability in Remote Desktop Protocol (RDP), which allows remote code execution. A similar bug was found in RDP in March, and could allow attackers to conduct a denial-of-service attack or remotely execute code. Exploit code was found and developed after a member of Microsoft's Active Protection Program leaked information about the vulnerability to conduct the denial-of-service attack. To date, however, no working exploit code has been publicly disclosed that would enable hackers to take control of a Windows computer.
The identity of the organisation or person that reported the new RDP bug has not been disclosed, with Microsoft noting that it was reported privately. Its silence on the matter could be to avoid a repeat occurrence of exploit code being leaked. Microsoft has not seen any instances of the new vulnerability being used to attack customers.