An unpatched Windows vulnerability considered a critical threat by security experts is being exploited by cybercriminals.
Microsoft disclosed the flaw in XML Core Services (MSXML) 3.0, 4.0 and 6.0 June 12 during its monthly release of patches. The security advisory, which was separate from the patch release, offered a workaround for vulnerability CVE-2012-1889, but no fix. The vulnerability is easily exploited through Internet Explorer.
Security vendor Sophos reported Tuesday that it discovered over the weekend a web page crafted to take advantage of the flaw. The page was on the site of an unidentified European medical company, which did not know its website had been hijacked, Sophos said.
Cybercriminals often hide malware on legitimate websites for so-called drive-by installs. To lure people to the compromised site, hackers typically use specially crafted email to entice recipients to click on a link to the infected page.
Marcus Carey, a security researcher at Rapid7, said his company was sure cybercriminals everywhere were exploiting the widely known vulnerability. "That vulnerability is definitely being exploited in the wild," he said Wednesday. Unpatched software flaws that are disclosed publicly become priority No. 1 for cyber-criminals, who know that companies and people are slow to install patches, and even slower to apply workarounds.
The latest vulnerability is particularly serious because it can be easily exploited. "The only thing you have to do is visit a website that's been compromised, and you're going to compromise your system," Carey said. "Anyone running Internet Explorer should be terrified unless they apply the [Microsoft] fix-it."
MSXML is a set of services used in building Windows-native XML-based applications. The latest flaw affects all releases of Windows and Office 2003 and 2007. A successful attacker could use the vulnerability to gain full user rights to a PC, Microsoft said.
Until a patch is released, the Microsoft workaround is the only way to stymie hackers. Many security vendors have updated their products to detect malicious code that tries to exploit the vulnerability. "Although security software can protect against this vulnerability, let's hope that Microsoft can release a proper patch sooner rather than later," Paul Baccas, senior threat researcher at Sophos, said in the company's blog.
Google reported the vulnerability to Microsoft on May 30 and worked with the software maker.