MSIE: WebViewFolderIcon ActiveX exploit
FYI...
- http://isc.sans.org/diary.php?storyid=1741
Last Updated: 2006-09-28 02:08:55 UTC
"If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE. So: No, surfing with MSIE is still not safe...
Defenses:
> Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
> Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)...
> Keep antivirus signatures up to date.
> Keep an eye out for a patch from Microsoft..."
Microsoft Windows WebViewFolderIcon ActiveX integer overflow
* > http://www.kb.cert.org/vuls/id/753044
Last Updated - 09/27/2006
=======================================================
- http://secunia.com/advisories/22159/
Release Date: 2006-09-28
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x ...
...The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution: Only allow trusted websites to run ActiveX controls..."
================================================
Microsoft Security Advisory (926043)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/926043.mspx
Published: September 28, 2006
"Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports. The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View. We are working on a security update currently scheduled for an October 10 release..."
(See/use the advisory's URL above for "Mitigating Factors" and "Workarounds".)
=================================
WebViewFolderIcon setslice exploit spreading - InfoCon level to yellow
- http://isc.sans.org/diary.php?storyid=1749
Last Updated: 2006-09-30 19:35:30 UTC
"...The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes. If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove..."
("Suggested actions" itemized at the ISC url above.)
Malicious Code: WebView FolderIcon setSlice Vulnerability
- http://www.websense.com/securitylabs...hp?AlertID=644
September 30, 2006
"Websense Security Labs (TM) has received several reports of the recently released " WebView FolderIcon setSlice" Internet Explorer zero-day code being utilized on the Internet. Like the recently reported VML zero-day, there are professionals at work using the exploit code.
To date all the sites we have discovered appear to be from the IFRAME Cash folks. This is the same group that we discovered using the WMF exploit back in late December 2005. The fact that they are using the exploit code poses a significant risk due because their ability to attract users to sites via search engines and email spam campaigns. Also they have iframe's embedded on. As of the time of this alert we have more than 600 active sites that have IFRAME cash placed code on them. This does not mean that all sites have the recent zero-day code but it does mean that they have the potential to because they mostly point back to main "hub servers".
Although in some cases the IFRAME Cash sites are used to download and install Potentially Unwanted Software (PUS), they also have installed Trojan Horses which open backdoors, code which is designed to steal end-user information, and sophisticated rootkits..."
