CVE2012-1889: MSXML use-after-free vulnerability
- Wednesday, June 20, 2012, 8:58
- Threat Research
As soon as Microsoft had released patches for security bulletin MS12-037 (which patched 13 vulnerabilities for Internet Explorer) Google published information (Microsoft XML vulnerability under active exploitation) about a new zero-day vulnerability (CVE-2012-1889) in Microsoft XML Core Services. Sometimes vulnerabilities are discovered at a rate that outpaces the patching process and so a temporary fix is needed. That is what Microsoft has provided in this case: a ‘Fix it’ patch. We recommend that you install the patch because exploits for the vulnerability are already in the wild.
Furthermore, a few days ago an exploit for CVE-2012-1889 was made public through publication in the Metasploit Framework repository (New Critical Microsoft IE Zero-Day Exploits in Metasploit). ESET products already detect the CVE-2012-1889 vulnerability as JS/Exploit.CVE-2012-1889. However, you should still install the patch if you are using software that is affected, as detailed in Microsoft Security Advisory 2719615.
Now for the technical details: CVE-2012-1889 exploits memory corruption issues in Microsoft XML Core Services when trying to access an XML Node that hasn’t been initialized, using the get_definition API call, which may corrupt memory and allow remote code execution. The ‘Use-after-free’ class of vulnerability is quite commonly found in programs developed in the C/C++ languages.
Vulnerability CVE-2012-1889 is simple to exploit in all known versions of Internet Explorer.