The MS12-043 bulletin details the Microsoft XML Core Services vulnerability that was first revealed in the June Patch Tuesday update. That flaw has been exploited in the wild over the past month. While Microsoft is now issuing a patch, it doesn’t cover all possible vulnerable XML scenarios. The patch fixes Microsoft XML Core Services 3.0, 4.0, and 6.0 — but it does not patch version 5.0, which is still widely used and deployed in Microsoft’s Office products.
“My guess is that a patch for XML 5 will come out next month and the Microsoft Office team was just not able to get a patch out in time,” Wolfgang Kandek, CTO of Qualys, told eSecurity Planet. “So the risk now is that attackers will change their code to attack XML version 5.”
Kandek noted that the vulnerability in XML 5 is the same as it is in XML 3, 4, and 6. As such, will be fairly simple for attackers to target.
However, Microsoft is not leaving its users entirely exposed to the XML 5 vulnerability. The company has issued a fix-it patch for XML 5 that provides a band-aid approach to addressing the flaw. Amol Sarwate, Director of Vulnerability Labs at Qualys, told eSecurity Planetthat a fix-it patch is often just a killbit — a piece of code that restricts the ability of a function to operate. It is Sarwate’s understanding the fixit is as good as a patch in actually limiting the risk of the vulnerability.