Release date:
Updated on:
Affected Systems:
Microsoft Windows
Description:
--------------------------------------------------------------------------------
Cve id: CVE-2012-1889
Microsoft XML Core Service (MSXML) allows users using JScript, VBScript, and Microsoft Visual Studio 6.0 to build XML applications that can operate with other applications that comply with the XML 1.0 standard.
Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 have security vulnerabilities when accessing uninitialized memory locations. They allow remote attackers to execute arbitrary code or cause denial of service through specially crafted websites.
<* Source: Microsoft
Link: http://technet.microsoft.com/zh-cn/security/advisory/2719615
*>
Suggestion:
--------------------------------------------------------------------------------
Temporary solution:
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
* Apply the Microsoft Fix it solution of XML Core Services 5.0.
* Configure IE to prompt or disable it when running the activity script
* Block ActiveX controls in IE
Vendor patch:
Microsoft
---------
Microsoft has released a Security Bulletin (2719615) and corresponding patches for this purpose:
2719615: vulnerabilities in Microsoft XML Core Services may allow remote code execution
Link: http://technet.microsoft.com/zh-cn/security/advisory/2719615