CVE-2012-1889 Microsoft XML core services uninitialized memory vulnerabilityJuly 2, 2012
|Authors:||Brian Mariani, Senior Security Auditor, High-Tech Bridge|
Frederic Bourla, Chief Security Specialist, High-Tech Bridge
Before the 30th of May 2012 attackers were exploiting a new Microsoft Internet explorer 0day. The 30th of May 2012 Google warned Microsoft about this vulnerability existing in the core of Internet Explorer XML services. The 12th of June 2012 Microsoft published a security advisory (2719615) which is not a final patch but a temporary “Fix-It” solution. Finally on June 19th 2012 the Metasploit Project released an exploit module which is 100% reliable for internet explorer IE6/7/8/9, Windows XP, Vista, and all the way to Windows 7 SP1. The present publication explains the details about this vulnerability. As a lab test we used a Windows XP - SP3 computer with IE 6.0.