We observed a zero-day attack aimed at a Chinese high school webpage and leveraged the Microsoft XML Core Services vulnerability. This discovery came about just days after Microsoft released an advisory regarding the vulnerability. The perpetrators behind the attack compromised a high school entrance exam result page in Jiangsu, China, which is visited by about a million students, parents, and teachers who are eager to know the exam results.
Once users access this page, they are redirected to several sites until they reach http://vfi.{BLOCKED}b.com:89/2/ee.htm. This site hosts HTML_EXPLOYT.AE that exploits CVE-2012-1889 and leads to the downloading of malware onto users’ systems. As of this writing, the said webpage has been cleaned.
Analysis of the Exploit and Exploit-Hosting Site
Now, let’s take a look at the site http://vfi.{BLOCKED}b.com:89/2/ee.htm, which hosts the said exploit.
The screenshot below shows that site is designed to execute a heapspray – a similar technique used by most malware:
The following code generates memory corruption, which causes Internet Explorer to crash. However, as mentioned in our previous blog entries, the Data Execution Prevention (DEP) present in IE 9 and 10 should prevent this.
- Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 1
- Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 2
- Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 3
Trend Micro users are protected from this threat via Smart Protection NetworK, which blocks the malicious URLs related to this threat. Trend Micro file reputation service also detects and deletes the HTML_EXPLOYT.AE and the downloaded file. Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889). Furthermore, both Trend Micro Titanium Internet Security 2011 and upcoming 2012 version features an integrated BES (Browser Exploit Solution), which detects the heapspray method without further pattern update.
For their part, Microsoft released a fix tool as a workaround solution for this vulnerability. In addition, today’s Patch Tuesday includes patches that resolves CVE-2012-1889 vulnerability.
Leave a reply
