Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - *WebViewFolderIcon ActiveX control exploit(s) in the wild InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

*WebViewFolderIcon ActiveX control exploit(s) in the wild

Published: 2006-09-30
Last Updated: 2006-09-30 23:49:31 UTC
by Robert Danford (Version: 6)
0 comment(s)
Rise and shine. This vulnerability is being actively exploited in the wild.

Here is some preliminary info from the folks who got the jump on this at Exploit Prevention Labs.
http://explabs.blogspot.com/2006/09/webviewfoldericon-setslice-exploit-in_30.html

Mitigation:
On the client side "killbits" can be used to unregister the vulnerable control
See http://isc.sans.org/diary.php?storyid=1742 for more details.

On the network side it might be worth considering taking control of hostname lookups on your network through a technique like blackhole-dns: http://www.bleedingsnort.com/blackhole-dns/
The exploit URLs mentioned in the explabs blog have so many IP addresses behind them that blocking by IP or netblock becomes an uphill battle.

Update: I realize this is an incomplete suggestion if the hostname is unknown. However there are legitimate reasons to not release the full URL of easily portable/unpatched exploits. I do think it is still worthwhile for sites to consider reviewing their DNS logs and considering options such as blackhole-dns. In this case you'd just have to blackhole *.biz if the hostname is unknown.

More Info:
Advisory from Microsoft
MoBB #18
OSVDB(27110)
CERT(VU753044)

Updates will be posted here as they become available.
If anyone has information to share please do so via the contact link: http://isc.sans.org/contact.php
and indicate whether the info should be kept private or not.

Update:
The exploit is detected as:
JS/Exploit-BO.gen  by McAfee
JS_PLOIT.BC by TrendMicro
Bloodhound.Exploit.83 by Symantec

Background info on malicious ActiveX controls and killbits

0 comment(s)
Diary Archives