Attackers Targeting MSXML Flaw With Malicious Flash Files

Author: Dennis Fisher
minute read

The unpatched vulnerability in Internet Explorer’s MSXML component that Microsoft warned users about earlier this month is being used in attacks that employ malicious Flash files. Researchers say that the attacks are taking the form of drive-by downloads launched from compromised legitimate sites.

The unpatched vulnerability in Internet Explorer’s MSXML component that Microsoft warned users about earlier this month is being used in attacks that employ malicious Flash files. Researchers say that the attacks are taking the form of drive-by downloads launched from compromised legitimate sites.

The attack scenario that’s being used is a familiar one. When users visit a legitimate site that’s been compromised, the malicious code injected onto the site exploits the CVE-2012-1889 vulnerability in Internet Explorer to install malware on the victim’s machine. It’s the classic drive-by download technique and it has proven to be effective for years, and it’s even more effective when there’s an unpatched flaw such as this available for use.

Just like the exploit code used against CVE-2012-1875, this exploit also uses an embedded SWF (Flash) file. The SWF file is responsible for performing the heap spray and setting up the shellcode,” Karthikeyan Kasiviswanathan of Symantec wrote in an analysis of the attacks.

When Microsoft first warned users about the vulnerability last week, officials said that the bug already was being used in attacks in the wild. Google researchers, who originally found the vulnerability and disclosed it to Microsoft, said that they had seen attacks against the vulnerability that were using malicious Office documents to carry the payload.

The newer series of attacks is instead using the ever-popular malicious Flash file as a delivery mechanism for the attacker’s shellcode.

The exploit also supports multiple versions of Windows and languages. The heap spray and shellcode are customized depending on the combination of the Windows version and languages,” Kasiviswanathan said. “When the vulnerability is triggered, the execution is transferred to the shellcode. The shellcode is designed to download an encrypted payload from a URL and save it to the Temporary Internet Files folder.”

If you’re running Internet Explorer, you should use the Microsoft FixIt tool for the vulnerability, which is a stop-gap until Microsoft has a full patch available. 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.