Microsoft Pressured To Patch Zero Day As VUPEN Creates Serious Exploit
Microsoft is facing pressure to patch a zero-day threat that is being exploited in the wild, as vulnerability seller VUPEN has found a way to make the exploit work across all Windows platforms.
Attack code for the CVE-2012-1889 flaw, which affects Microsoft XML component found in Internet Explorer, was published earlier this month. The vulnerability could allow remote code execution if a user visits a specially-crafted webpage on Internet Explorer.
Security researchers have seen attempts to spread malware via an injection of malicious iframes on websites. Sophos found a website of a European aeronautical parts supplier had been hacked and was serving up a malicious attack exploiting CVE-2012-1889. The drive-by attack vector was similar to another it had seen affecting a European medical company earlier this week, which was also taking advantage of the zero-day security hole.