14 DAY TRIAL // In the past month, a vulnerability in Microsoft XML Core Services, has made a lot of headlines and a few days ago experts noticed that the zero-day that could be exploited via Internet Explorer was added to a variant of the Blackhole exploit kit.
Microsoft has made available a temporary fix for the issue, but for now there is no permanent patch, making the security hole a highly tempting one for cybercriminals.
Soon after the Redmond company released the first advisory for this bug, experts noticed that a Metasploit module was published for it.
Now, Sophos researchers have learned that a similar exploit code has been added to a Blackhole exploit kit landing page.
Identified as Mal/ExpJS-N, the malicious code attempts to evade detection by being obfuscated.
“When the code is deobfuscated, the usual functions used to target the vulnerabilities we associate with Blackhole are evident. However, within this particular page was a new function (spl7), that targeted CVE-2012-1889,” SophosLabs Principal Virus Researcher Fraser Howard explained.
“The function used well-described heapspray techniques to deliver the shellcode, prior to exploiting the vulnerability in order that execution passes to that shellcode. The shellcode is pretty straightforward, attempting to download the payload (a dll) from a remote server, writing it to the temp folder.”
Curiously, the exploit code hasn’t been seen on other sites that host Blackhole. It’s uncertain why it hasn’t spread, but experts believe that it’s either unreliable, or it may simply be reserved for a premium version of the kit.
In the meantime, until Microsoft permanently addresses the issue, users are advised to apply the Fix It solution. Furthermore, internauts are recommended to avoid clicking on shady-looking links that may come via unsolicited emails or messages on social networks.