State-sponsored attacks targeting Microsoft zero-day?

A zero-day exploit that potentially affects all supported versions of Microsoft Windows, and which has been tied to a warning by Google about state-sponsored attacks, has been identified carrying out attacks in Europe.

Security company Sophos said the still-unpatched vulnerability in Microsoft XML Core Services, which is used in writing applications, was exploited in recent attacks against an aeronautical parts supplier and a medical company, both in Europe, according to a blog post by SophosLabs’ Graham Cluley.

The exploit, which has been spreading via phishing attacks against Internet Explorer users, executed a drive-by install of four files, Cluley wrote. He said an attack against an aeronautical parts supplier, for instance, could be a step toward hacking a larger organization.

Related coverage:

Google warnings of state-sponsored attacks: Sign of the times

Microsoft warns of zero-day attack

Microsoft issued a warning June 12 about the vulnerability, which exists in versions 3.0, 4.0, 5.0 and 6.0 of XML Core Services, also know as MSXML. It affects Internet Explorer in all versions of Windows XP through Windows 7, as well as all versions of Office 2003 and 2007.

The vulnerability, known as CVE-2012-1889, allows remote code execution in computers that get infected when users visit the target malicious website and can give an attacker the same rights as a registered user.
Microsoft has not yet issued a patch but is recommending that users and organizations take advantage of a “Fix it” workaround that can mitigate the problem.

At the time of its warning, Microsoft said the vulnerability was being actively exploited but did not give details on any attacks. Its announcement came about week after Google launched a service that would warn users when they might be targets of state-sponsored attacks.

Google security engineer Andrew Lyons, on the company's blog, said Google had reported the MSXML vulnerability to Microsoft on May 30 and that the two companies had been working on it together.

ZDNet, citing a source “close to these investigations,” later reported that the active exploits against the MSXML vulnerability had prompted Google’s warning about state-sponsored attacks.

Google said its new service would give users a warning across the top of their screens, along with a link to advice on protecting themselves, if they were targets of a suspected state-sponsored attack.

It may have seemed a little unusual that Google, which already warns Gmail users of anything suspicious concerning their accounts, would launch a service specifically concerning state-sponsored cyberattacks, but recent reports have made it clear that governments, including the United States, are actively involved in cyber activities.

Recent news reports have said the highly sophisticated Flame and Stuxnet malware were part of a U.S./Israeli effort targeting Iran’s nuclear program, in which the Flame spyware gathered details about Iran’s Natanz processing plant, paving the way for Stuxnet to disrupt centrifuges used in uranium processing.

Meanwhile, a number of other high-profile attacks, including several against Google, have been attributed to China, Russia and other foreign governments.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.