Defence supplier's website infected with 'state-sponsored' zero-day exploit, claims Sophos

All flavours of Windows at risk from critical security flaw

The website of a major supplier to the European aeronautical industry has been hacked and infected with a "state-sponsored" zero-day exploit, according to computer security software supplier Sophos.

The exploit takes advantage of an as-yet unpatched vulnerability in all current flavours of Microsoft Windows, from Windows XP to Windows 7, while Microsoft Office 2003 and 2007 are also at risk.

Sophos is not naming the company due to the sensitivity of the security flaws, but claims that a malicious attack on the website is almost certainly the work of state-sponsored agencies, given the nature of the compromised target and its customers, combined with the sophistication of the attack.

Sophos was alerted to the security problem when a Sophos customer attempted to visit the affected website and received a warning message that a file on the site was infected by code that attempts to exploit a vulnerability in Microsoft XML Core Services. This could allow remote code execution – a vulnerability known as CVE-2012-1889 – which has been linked to recent warnings from Google about "state-sponsored attacks".

"One way that hackers break into large companies and organisations is to target their supply chain," said Graham Cluley, senior technology consultant at Sophos.

He added: "It's reasonable to speculate that whoever was behind this attack actually had bigger fish to fry – the type of businesses that regularly visit the websites of aeronautical suppliers, such as defence companies."

Rather than trying to hack a company that may have robust security practices and security teams, an attacker instead attacks a smaller supplier whose security procedures are less rigorous, and which is less likely to notice a security breach.

The serious security flaw cannot be fixed with any official patches from Microsoft, although Microsoft has produced a workaround that can be downloaded from its website.

"Don't underestimate the seriousness of this vulnerability," said Cluley. "It is being actively exploited in the wild, and there is currently no patch available for it. As a result, Sophos has raised its threat level rating to its highest level – 'critical'."

Some anti-virus software packages – including Sophos's – can provide protection. "The best solution of all would be to have a proper fix from Microsoft. And for now, at least, we're waiting to see when that's going to appear," said Cluley.