Latest Windows Exploit Spreads, ZERT Issues Fix
Multiple versions of exploit code for the vulnerability in the "WebViewFolderIcon" ActiveX control -- also dubbed the "setslice" bug by some security organizations -- has been spotted on the Web, said the SANS Institute's Internet Storm Center Monday. ISC raised its Internet threat status warning to "Yellow" on Friday to account for the spreading code.
"The exploit is widely known, easy to recreate, and used on more and more websites," the ISC alert read. "The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove." (CoolWebSearch is an adware package that tracks users movements on the Web that one anti-spyware vendor warns to "handle with care!")
San Diego-based Websense has spotted the new exploit being used on a few of the sites collectively known as "IFRAME Cash," the term taken from iframecash.biz that describes affiliates which push unpatched exploits to a large number of other Web sites.
"The fact that they are using the exploit code poses a significant risk due because their ability to attract users to sites via search engines and e-mail spam campaigns," Websense warned. "We have more than 600 active sites that have IFRAME cash-placed code on them. This does not mean that all sites have the recent zero-day code but it does mean that they potential to because they mostly point back to main 'hub servers,'" the alert continued.
Other researchers also sounded the alarm bell. "[These people] like to hack into completely innocent sites, and install an IFRAME, thus turning them into unwitting lures," wrote Roger Thompson, chief technology officer at Exploit Prevention Labs, in a blog entry. "And they like to find bulletin boards that are open enough for them to insert their IFRAME."
Microsoft said it was pushing for a patch. "We are working overtime to help get all of you more secure," said Lennart Wistrand, a program manager at the company's Security Response Center (MSRC), in an entry written late Friday.
Although the Redmond, Wash. developer has not issued a fix -- it's shooting for Oct. 10 -- the independent Zeroday Emergency Response Team (ZERT) has produced an unsanctioned patch that should stymie attacks. ZERT, which first popped into the news Sept. 22 when it beat Microsoft to the VML fix punch by 4 days, has updated its ZProtector framework to account for the new vulnerability. The fix can be downloaded from here.