Sunbelt Software is reporting a previously unknown, and unpatched, MS Explorer / Outlook exploit in the wild. It is currently being used to push spyware and to create botnet zombies. This is the 2nd 0day IE exploit so far this month.
Rated Extremely Critical - Several updates below. Confirmation that this can spread via email.
The exploit is being used to launch drive-by malware downloads that are hijacking Windows machines for use in botnets. These botnet computers (what use to be your computer) are normally used to distribute spam and as launching points for illegal activities. But the exploit can be used to install arbitrary executable code so anything is possible.
This exploit has been confirmed on a fully patched Windows XP computer with SP2 and IE 6.0. It most likely runs on some previous OS versions / patch versions as well. The vulnerability is a buffer overflow in the way Internet Explorer handles VML (Vector Markup Language) code. VML is basically an XML file presented to your browser that contains a vector drawing.
Update:
* This vulnerability is being actively exploited on malicious websites. Here is what Microsoft is saying: "compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability". Meaning? Avoid websites that allow just anyone to post HTML content. (this site allows text only)
* Apparently Outlook and/or Outlook Express is vulnerable as well. From Microsoft: "In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability." See advisory below. If this is the case this may go big time very quick. Check back here frequently for updates or switch to plain text email only. (
update: Outlook and Outlook Express are vulnerable, see link below)
There are no fixes available at this time and a "killbit" won't be an option (since the vulnerability is not based off of ActiveX like this month's previous exploit). The exploit can be mitigated by turning off JavaScript (though this does not fully mitigate all avenues of attack).
It does not affect Firefox, Opera, or other non-Internet Explorer based browsers so these are effective tools for mitigating this IE vulnerability. (Update: Microsoft has issued some workarounds but hinting at the severity of the problem some of the workarounds are not for the feint of heart
Reply With Quote