Microsoft Security Advisory 2719615 - MSXML - CVE-2012-1889

Published: 2012-06-12
Last Updated: 2012-06-12 19:30:57 UTC
by Swa Frantzen (Version: 1)
10 comment(s)

Several readers mentioned that Microsoft today issued a Security advisory regarding Microsoft XML Core Services (MSXML). This is in response to active exploitation.

The issues affects Office 2003 and 2007 on all versions of windows. All a user has to do to fall victim is visit the wrong website using IE. 

Microsoft has issued a fixit for it in the form of an msi file (see the KB 2719615 link below)

Alternative strategies would be to use browsers that do not support ActiveX, or disable the support in IE.

Links:

--
Swa Frantzen -- Section 66

Keywords: microsoft MSFT
10 comment(s)

Comments

Anybody know how you can verify the fixit is installed after running it?

I'm not seeing '2719615' anywhere in Add/Remove Programs or in C:/Windows/System32/

K-Dee

Jun 12th 2012
1 decade ago

a search for 2719615 in WSUS turns up nothing...

hp

Jun 12th 2012
1 decade ago

I've got three entries for CVE-2012-1889 in Programs and Features after enabling the Fixit.
It may depend how many affected products you have installed.

David

Jun 13th 2012
1 decade ago

@K-Dee It shows up in my windows installer DB as "CVE-2012-1889"

Dave

Jun 13th 2012
1 decade ago

@David I've got 5 entries

Dave

Jun 13th 2012
1 decade ago

Specifically, the core of the fixit does the following. It copies into place the following 5 files (only the first three get copied on 32-bit OSes).

Directory of C:\Windows\AppPatch\Custom
06/12/2012 01:24 AM 2,162 {06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb
06/12/2012 01:24 AM 555,200 {29447369-6968-4e86-a208-603f6f0771a6}.sdb
06/12/2012 01:24 AM 125,876 {f300e352-12de-4e7f-ace3-a376874402b6}.sdb

Directory of C:\Windows\AppPatch\Custom\Custom64
06/12/2012 01:24 AM 17,404 {393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb
06/12/2012 01:24 AM 72,416 {7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb

In order, those files are known inside the MSI as msxml4_shim32.sdb, msxml3_shim32.sdb, msxml6_shim32.sdb, msxml6_shim64.sdb, and msxml3_shim64.sdb, so you should be able to figure out what those shims attempt to hotfix.

Then, it makes the following registry entries. Again, on 32-bit OSes, it skips those that would be applicable to the 64-bit SDB files. Note that the random hex strings in the iexplore.exe key match the DatabaseInstallTimeStamp values below, and these values will vary from installation to installation.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iexplore.exe]
"{29447369-6968-4e86-a208-603f6f0771a6}.sdb"=hex(b):d6,a7,35,66,1b,49,cd,01
"{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb"=hex(b):99,75,4d,66,1b,49,cd,01
"{f300e352-12de-4e7f-ace3-a376874402b6}.sdb"=hex(b):59,38,52,66,1b,49,cd,01
"{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb"=hex(b):3a,1f,5e,66,1b,49,cd,01
"{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb"=hex(b):5b,43,65,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):99,75,4d,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{29447369-6968-4e86-a208-603f6f0771a6}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{29447369-6968-4e86-a208-603f6f0771a6}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):d6,a7,35,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\Custom64\\{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):5b,43,65,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\Custom64\\{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):3a,1f,5e,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f300e352-12de-4e7f-ace3-a376874402b6}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{f300e352-12de-4e7f-ace3-a376874402b6}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):59,38,52,66,1b,49,cd,01

Basically, this lets Microsoft load some sort of hotfix code into the IE process to handle the various vulnerabilities without having to fix MSXML3/4/6 immediately. By fixing it only in the IE process, they cut down on the massive amount of testing required, which lets them get a quick fix out a lot faster. At least that's my read.

Anonymous

Jun 13th 2012
1 decade ago

It has not escaped my notice that those timestamps are very recent. Someone was burning the midnight oil to get this out!

Anonymous

Jun 13th 2012
1 decade ago

Finally, I'm going crazy trying to remember the last time I saw this approach. I'm certain I've seen someone (I can't remember if it was Microsoft or a white-hat) use this approach in a temporary workaround for a vulnerability, but I can't remember when it was or what the vulnerability was. Does anyone else remember or is anyone else better at finding it?

Anonymous

Jun 13th 2012
1 decade ago

Thanks Dave and everyone else for the replies.....

K-Dee

Jun 13th 2012
1 decade ago

Is Office 2003/2007 really a prerequisite to be vulnerable or is it just that its "XML Core Services" are vulönerable as well?

fors

Jun 14th 2012
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives