Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft Security Advisory 2719615 - MSXML - CVE-2012-1889 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Security Advisory 2719615 - MSXML - CVE-2012-1889

Several readers mentioned that Microsoft today issued a Security advisory regarding Microsoft XML Core Services (MSXML). This is in response to active exploitation.

The issues affects Office 2003 and 2007 on all versions of windows. All a user has to do to fall victim is visit the wrong website using IE. 

Microsoft has issued a fixit for it in the form of an msi file (see the KB 2719615 link below)

Alternative strategies would be to use browsers that do not support ActiveX, or disable the support in IE.

Links:

--
Swa Frantzen -- Section 66

Swa

760 Posts
Anybody know how you can verify the fixit is installed after running it?

I'm not seeing '2719615' anywhere in Add/Remove Programs or in C:/Windows/System32/
K-Dee

63 Posts
a search for 2719615 in WSUS turns up nothing...
TuggDougins

37 Posts
I've got three entries for CVE-2012-1889 in Programs and Features after enabling the Fixit.
It may depend how many affected products you have installed.
David

11 Posts
@K-Dee It shows up in my windows installer DB as "CVE-2012-1889"
Anonymous
@David I've got 5 entries
Anonymous
Specifically, the core of the fixit does the following. It copies into place the following 5 files (only the first three get copied on 32-bit OSes).

Directory of C:\Windows\AppPatch\Custom
06/12/2012 01:24 AM 2,162 {06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb
06/12/2012 01:24 AM 555,200 {29447369-6968-4e86-a208-603f6f0771a6}.sdb
06/12/2012 01:24 AM 125,876 {f300e352-12de-4e7f-ace3-a376874402b6}.sdb

Directory of C:\Windows\AppPatch\Custom\Custom64
06/12/2012 01:24 AM 17,404 {393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb
06/12/2012 01:24 AM 72,416 {7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb

In order, those files are known inside the MSI as msxml4_shim32.sdb, msxml3_shim32.sdb, msxml6_shim32.sdb, msxml6_shim64.sdb, and msxml3_shim64.sdb, so you should be able to figure out what those shims attempt to hotfix.

Then, it makes the following registry entries. Again, on 32-bit OSes, it skips those that would be applicable to the 64-bit SDB files. Note that the random hex strings in the iexplore.exe key match the DatabaseInstallTimeStamp values below, and these values will vary from installation to installation.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iexplore.exe]
"{29447369-6968-4e86-a208-603f6f0771a6}.sdb"=hex(b):d6,a7,35,66,1b,49,cd,01
"{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb"=hex(b):99,75,4d,66,1b,49,cd,01
"{f300e352-12de-4e7f-ace3-a376874402b6}.sdb"=hex(b):59,38,52,66,1b,49,cd,01
"{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb"=hex(b):3a,1f,5e,66,1b,49,cd,01
"{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb"=hex(b):5b,43,65,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):99,75,4d,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{29447369-6968-4e86-a208-603f6f0771a6}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{29447369-6968-4e86-a208-603f6f0771a6}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):d6,a7,35,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\Custom64\\{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):5b,43,65,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\Custom64\\{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):3a,1f,5e,66,1b,49,cd,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f300e352-12de-4e7f-ace3-a376874402b6}]
"DatabasePath"="C:\\Windows\\AppPatch\\Custom\\{f300e352-12de-4e7f-ace3-a376874402b6}.sdb"
"DatabaseType"=dword:00010000
"DatabaseDescription"="CVE-2012-1889"
"DatabaseInstallTimeStamp"=hex(b):59,38,52,66,1b,49,cd,01

Basically, this lets Microsoft load some sort of hotfix code into the IE process to handle the various vulnerabilities without having to fix MSXML3/4/6 immediately. By fixing it only in the IE process, they cut down on the massive amount of testing required, which lets them get a quick fix out a lot faster. At least that's my read.
Anonymous
It has not escaped my notice that those timestamps are very recent. Someone was burning the midnight oil to get this out!
Anonymous
Finally, I'm going crazy trying to remember the last time I saw this approach. I'm certain I've seen someone (I can't remember if it was Microsoft or a white-hat) use this approach in a temporary workaround for a vulnerability, but I can't remember when it was or what the vulnerability was. Does anyone else remember or is anyone else better at finding it?
Anonymous
Thanks Dave and everyone else for the replies.....
K-Dee

63 Posts
Is Office 2003/2007 really a prerequisite to be vulnerable or is it just that its "XML Core Services" are vulönerable as well?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!