A very well written document on this exploit situation (place where I’ve taken information from)

http://isc.sans.org/diary.html?storyid=6778


** HEADS UP ** Microsoft Office Vulnerability - ACTIVELY BEING EXPLOTED.

Second heads up for in 2 weeks but this one is more actively being exploited. I SAY AGAIN THIS VULNERABILITY IS ACTIVELY BEING EXPLOTED.

Lot of threat con’s have gone up to stage 2 or 3, depending on their measurement techniques. However the point is everyone has raised the BAR of current threat level.

Advisory: http://www.microsoft.com/technet/sec...ry/973472.mspx
KB article: http://support.microsoft.com/kb/973472
SRD blog: http://blogs.technet.com/srd/archive...erability.aspx
MSRC blog: http://blogs.technet.com/msrc/archiv...-released.aspx

Product’s affected :
Microsoft Office XP Service Pack 3;
Microsoft Office 2003 Service Pack 3;
Microsoft Office XP Web Components Service Pack 3;
Microsoft Office Web Components 2003 Service Pack 3;
Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1;
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3;
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3;
Microsoft Internet Security and Acceleration Server 2006;
Internet Security and Acceleration Server 2006 Supportability Update;
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1; and
Microsoft Office Small Business Accounting 2006.

A FIX IT TOOL IS AVAILABLE :
http://go.microsoft.com/?linkid=9672747
FOR ALL AD’ admins out there :
http://technet.microsoft.com/en-us/l.../bb457006.aspx
** USING AN ALTERNATIVE BROWSER (OTHER THEN IE) IS RECOMMENDED **

List of domains currently exploiting the vulnerability can be found here:

http://isc.sans.org/diary.html?storyid=6739
Be sure to block them at gateway level.

Attack vectors used to exploit this vulnerability.
1. The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.
2. A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.
3. A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.