This week's release sees a quiet vulnerability fix, an exploit against an unpatched vulnerability in Microsoft's XML Core Services, and some helpful new/old commands, as well as the usual pile of exploity goodness you've come to expect from the Metasploit kitchen.

Vulnerabilities? In My Metasploit?

It's more likely than you think. Like all reasonably complex software packages, Metasploit occasionally ships with security vulnerabilities. Lucky for us, our user base tends to be pretty sophisticated when it comes to discovering and reporting vulns in our product, so these bugs are usually pretty short-lived. This week, Borja Merino discovered one, reported it in over the weekend, and we rolled an emergency fix out that day.


If you have a security vulnerability in Metasploit, I would be super-grateful if you reported it to security@metasploit.com so that we can roll out a fix. Here at Metasploit we stick to a 60-day disclosure policy for vulnerabilities that we discover independently, so we'd appreciate the heads-up the next time a Metasploit vuln surfaces. In return, we'll be sure you get credited with discovery and all that.

Speaking of Zero-Day...

This release contains a module for an unpatched vulnerability in Microsoft's XML Core Services. The module exercises the vuln via Internet Explorer, and is currently unpatched. For more details on that, see Wei "sinn3r" Chen's blog post from earlier this week. For tips on how to avoid getting exploited out on the wild Internet, keep an eye on Microsoft's Security Advisory 2719615. In the mean time, the Metasploit module appears to be the best way to test your exposure, given whatever mitigation you settle on while waiting for a patch.

Deprecated Commands

This week, Metapsloit core developer James "egyp7" Lee tackled a persistent problem we've been having on the IRC channel -- people who have read Metasploit: The Penetration Tester's Guide and who subsequently notice that commands like db_host are no longer functional. Egypt has instituted a deprecated commands system for msfconsole now, so users who try db_hosts, db_services, etc. get a helpful redirect to the correct "hosts" or "services" command. In addition, since it's been about eight months since db_autopwn was deprecated out and people still ask about it, we suspect that's floating around in documentation as well -- so that command gives a helpful link to HD Moore's blog post, Six Ways to Automate Metasploit.

New Modules

Finally, here's the list of this week's new modules. Thanks to all of our open source contributors for their work on these.

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see the most excellent release notes.