Yellow: WebViewFolderIcon setslice exploit spreading.
On Friday 29th (and for nearly all of our readers past their working day), we saw the WebViewFolderIcon setslice exploit spreading in the wild. We raise our Infocon to Yellow in order to increase the awareness of the problem and call for action. We have decided to stay Yellow till Monday morning for most of our readers. Without further spectacular evolutions we will go back to Green on Monday.
This exploit started in the Month of Browser Bugs on July the 18th as a Denial of Service, however its author released recently a code executing variant of it.
Reason for [gloworange]Yellow[/gloworange]
The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.
If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.
We suggest following actions (do them all: a layered approach will work when one of the measures fails):
Update your antivirus software, make sure your vendor has protection for it (*).
Install following killbits (**):
make sure you set both.
You can do this manually as in the Microsoft security advisory, by using Tom Liston's tool, with a GPO, ...
Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
We are aware of 3rd party patches, but our recommendation is to use the measures above instead for now.
Alex Sotirov from Determina on Full Disclosure: "We're also researching additional exploitation vectors. The underlying cause of the setSlice vulnerability is an integer overflow in COMCTL32.DLL, a core Windows component used by a large number of applications. The WebViewFolderIcon ActiveX control is most likely only one of the attack vectors for this vulnerability."
USCERT note 753044
Microsoft security advisory 926043
Jesper's blog about setting killbit using group policy (GPO)
Exploit prevention labs blog entry - iframe
Exploit Prevention labs blog entry - CWS
Malicious ActiveX Controls (Oreilly)
Setting killbits (Microsoft - KB240797)
Snort VRT sigs: SID 7985 and SID 7986, available since September 1st.
Exploit.HTML.IESlice.a - Exploit.HTML.IESlice.c (Kaspersky)
Sept. 30th diary
Sept. 29th diary with tool to set the killbits
Sept. 28th diary
(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
(**): There are currently no reports of side effects on other application when stopping this ActiveX control.
Swa Frantzen -- Section66