Microsoft XML Core Services Attack Activity – Microsoft Security Advisory (2719615)

Original release date: June 22, 2012

Last revised: —

Source: US-CERT


Systems Affected


Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected.

Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft

Office 2007 are affected due to their use of XML Core Services.





Microsoft Security Advisory (2719615) warns of active attacks using

a vulnerability in Microsoft XML Core Services. Microsoft Internet

Explorer and Microsoft Office can be used as attack vectors.





Microsoft Security Advisory (2719615), a Google Online Security

blog post, Sophos, and other sources report active attacks

exploiting a vulnerability in Microsoft XML Core Services

(CVE-2012-1889). Attack scenarios involve exploits served by

compromised web sites and delivered in Office documents. Reliable

public exploit code is available, and attacks may become more






By convincing a victim to view a specially crafted web page or

Office document, an attacker could execute arbitrary code and take

any action as the victim.





As of June 22, 2012, a comprehensive update is not available.

Consider the following workarounds.


Apply Fix it


Apply the Fix it solution described in Microsoft Knowledge Base

Article 2719615. This solution uses the Application

Compatibility Database feature to make runtime modifications to

XML Core Services to patch the vulnerability.


Disable scripting


Configure Internet Explorer to disable Active Scripting in the

Internet  and Local intranet zones as described in Microsoft

Security Advisory (2719615). See also Securing Your Web Browser.


Use the Enhanced Mitigation Experience Toolkit (EMET)


EMET is a utility to configure Windows runtime mitigation

features such as Data Execution Prevention (DEP), Address Space

Layout Randomization (ASLR), and Structured Exception Handler

Overwrite Protection (SEHOP). These features, particularly the

combination of system-wide DEP and ASLR, make it more difficult

for an attacker to successfully exploit a vulnerability.

Configure EMET for Internet Explorer as described in Microsoft

Security Advisory (2719615).





* Microsoft Security Advisory (2719615) –



* Microsoft Security Advisory: Vulnerability in Microsoft XML Core

Services could allow remote code execution –



* NVD Vulnerability Summary for CVE-2012-1889 –



* Microsoft XML vulnerability under active exploitation –



* European aeronautical supplier’s website infected with “state-sponsored” zero-day exploit –



* Securing Your Web Browser –



* Application Compatibility Database –



0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.