June 18, 2012, 3:25 PM — Attack code for two actively exploited vulnerabilities in Microsoft software, one of which has not yet been patched, was integrated into the open-source Metasploit penetration testing framework.
One of the vulnerabilities is identified as CVE-2012-1875 and is located in Internet Explorer. Attackers can exploit it to execute malicious code by tricking users into visiting a specially crafted Web page or opening a Microsoft Office document that has a malicious ActiveX control embedded into it.
Microsoft addressed the security flaw on Tuesday as part of its MS12-037 security bulletin, but according to security researchers from antivirus vendor McAfee, the vulnerability had been actively exploited in attacks since at least June 1.
The flaw was recently used by hackers to infect the computers of people who visited Amnesty International's Hong Kong website with malware, security researchers from Symantec said in a blog post on Monday.
"Microsoft is aware of limited attacks attempting to exploit the vulnerability," Microsoft said on Tuesday. "However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published."
That has now changed. The attack code for CVE-2012-1875 integrated into Metasploit targets Internet Explorer 8 on Windows XP with Service Pack 3.
The second actively exploited vulnerability for which an exploit module was added to Metasploit is identified as CVE-2012-1889 and is located in Microsoft XML Core Services.
According to researchers from security vendor Trend Micro, attacks targeting this particular flaw prompted Google to display warnings about state-sponsored attacks to Gmail users earlier this month.
Microsoft has yet to release a security patch for this vulnerability. However, a Microsoft "Fix it" tool that blocks the attack vector is available for download.