Microsoft Security Advisory 2719615 - MSXML - CVE-2012-1889
Several readers mentioned that Microsoft today issued a Security advisory regarding Microsoft XML Core Services (MSXML). This is in response to active exploitation.
The issues affects Office 2003 and 2007 on all versions of windows. All a user has to do to fall victim is visit the wrong website using IE.
Microsoft has issued a fixit for it in the form of an msi file (see the KB 2719615 link below)
Alternative strategies would be to use browsers that do not support ActiveX, or disable the support in IE.
Links:
- http://technet.microsoft.com/en-us/security/advisory/2719615
- http://support.microsoft.com/kb/2719615
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889
--
Swa Frantzen -- Section 66
×
Diary Archives
Comments
I'm not seeing '2719615' anywhere in Add/Remove Programs or in C:/Windows/System32/
K-Dee
Jun 12th 2012
1 decade ago
hp
Jun 12th 2012
1 decade ago
It may depend how many affected products you have installed.
David
Jun 13th 2012
1 decade ago
Dave
Jun 13th 2012
1 decade ago
Dave
Jun 13th 2012
1 decade ago
Directory of C:\Windows\AppPatch\Custom
06/12/2012 01:24 AM 2,162 {06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb
06/12/2012 01:24 AM 555,200 {29447369-6968-4e86-a208-603f6f0771a6}.sdb
06/12/2012 01:24 AM 125,876 {f300e352-12de-4e7f-ace3-a376874402b6}.sdb
Directory of C:\Windows\AppPatch\Custom\Custom64
06/12/2012 01:24 AM 17,404 {393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb
06/12/2012 01:24 AM 72,416 {7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb
In order, those files are known inside the MSI as msxml4_shim32.sdb, msxml3_shim32.sdb, msxml6_shim32.sdb, msxml6_shim64.sdb, and msxml3_shim64.sdb, so you should be able to figure out what those shims attempt to hotfix.
Then, it makes the following registry entries. Again, on 32-bit OSes, it skips those that would be applicable to the 64-bit SDB files. Note that the random hex strings in the iexplore.exe key match the DatabaseInstallTimeStamp values below, and these values will vary from installation to installation.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iexplore.exe]
"{29447369-6968-4e86-a208-603f6f0771a6}.sdb"=hex(b):d6,a7,35,66,1b,49,cd,01
"{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb"=hex(b):99,75,4d,66,1b,49,cd,01
"{f300e352-12de-4e7f-ace3-a376874402b6}.sdb"=hex(b):59,38,52,66,1b,49,cd,01
"{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb"=hex(b):3a,1f,5e,66,1b,49,cd,01
"{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb"=hex(b):5b,43,65,66,1b,49,cd,01
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):99,75,4d,66,1b,49,cd,01
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{29447369-6968-4e86-a208-603f6f0771a6}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{29447369-6968-4e86-a208-603f6f0771a6}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):d6,a7,35,66,1b,49,cd,01
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\Custom64\\{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):5b,43,65,66,1b,49,cd,01
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\Custom64\\{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):3a,1f,5e,66,1b,49,cd,01
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f300e352-12de-4e7f-ace3-a376874402b6}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{f300e352-12de-4e7f-ace3-a376874402b6}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):59,38,52,66,1b,49,cd,01
Basically, this lets Microsoft load some sort of hotfix code into the IE process to handle the various vulnerabilities without having to fix MSXML3/4/6 immediately. By fixing it only in the IE process, they cut down on the massive amount of testing required, which lets them get a quick fix out a lot faster. At least that's my read.
Anonymous
Jun 13th 2012
1 decade ago
Anonymous
Jun 13th 2012
1 decade ago
Anonymous
Jun 13th 2012
1 decade ago
K-Dee
Jun 13th 2012
1 decade ago
fors
Jun 14th 2012
1 decade ago