Thursday, June 21, 2012

Microsoft In-The-Wild Coverage - CVE-2012-1889 and CVE-2012-1875

As a security professional, there's very little I hate more than Microsoft vulnerabilities announced after patches are sent out each Microsoft Tuesday. Not only do they mean that folks like me have to scramble to address them - since invariably bugs released outside the standard patch cycle come with live exploits - they typically grant the largest possible exploitation window to an attacker. If your job is to keep systems secure, a potentially month-long window between exploit code release and patch release is a nightmare.

This month brought that exact scenario, with the public release of CVE-2012-1889 mere hours after the release of the month's patches. The vulnerability has been actively exploited in the wild for some time before this public release; Google has been issuing warnings to potential victims in Gmail at least since June 5. Initial exploitation appears to have been very narrowly targeted; with the June 15 release of a Metasploit module, however, as well as other exploits appearing across the web, users should expect a much more broad target base for attackers.

The good news for those of us charged with keeping networks secure is that there's been a very rapid response to this particular attack. The VRT released SIDs 23142 - 23146 the day after the public release of the vulnerability; we have been continuously monitoring newly released attacks, and have found that those rules cover everything that has been released to date. As those signatures are extremely generic in relation to the vulnerability, we expect them to continue working for any new exploits that are created, public or private.

In addition, Microsoft released a "Fix It" tool the day of the vulnerability announcement. While this tool does not patch the underlying bug - they're actively working on creating that patch - it does block the attack from reaching the vulnerable section of their codebase, which effectively keeps users safe while a full patch is created. I would strongly encourage you to use this tool immediately.

The other bug from this month's patch cycle that's actively being exploited in the wild is CVE-2012-1875, a complex DOM manipulation bug in Internet Explorer. A functional exploit with shellcode appeared on PasteBin on June 8 - four days before the release of the patch by Microsoft - and Metasploit also released code on June 13, which has been under active development to work on more platforms ever since. While the initial exploitation appeared, once more, to be very narrowly targeted, the broad availability of functional exploit code today means that the likelihood of this attack appearing in exploit kits or other commoditized attack platforms is exceptionally high.

Sourcefire customers have been protected by SID 23125 since this month's Microsoft Tuesday release; again, this coverage has been verified across all known exploits in the wild, and will be continually reviewed as new tools are released.

No comments:

Post a Comment