Yellow: WebViewFolderIcon setslice exploit spreading
History
On Friday 29th (and for nearly all of our readers past their working day), we saw the WebViewFolderIcon setslice exploit spreading in the wild. We raise our Infocon to Yellow in order to increase the awareness of the problem and call for action. We have decided to stay Yellow till Monday morning for most of our readers. Without further spectacular evolutions we will go back to Green on Monday. This exploit started in the Month of Browser Bugs on July the 18th as a Denial of Service, however its author released recently a code executing variant of it.
Reason for Yellow
The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.
Actions
We suggest following actions (do them all: a layered approach will work when one of the measures fails):- Update your antivirus software, make sure your vendor has protection for it (*).
- Install following killbits (**):
{844F4806-E8A8-11d2-9652-00C04FC30871}
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
make sure you set both.
You can do this manually as in the Microsoft security advisory, by using Tom Liston's tool, with a GPO, ...
You can do this manually as in the Microsoft security advisory, by using Tom Liston's tool, with a GPO, ...
- Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Quote
Alex Sotirov from Determina on Full Disclosure: "We're also researching additional exploitation vectors. The underlying cause of the setSlice vulnerability is an integer overflow in COMCTL32.DLL, a core Windows component used by a large number of applications. The WebViewFolderIcon ActiveX control is most likely only one of the attack vectors for this vulnerability."References
- Jesper's blog about setting killbit using group policy (GPO)
- Exploit prevention labs blog entry - iframe
- Exploit Prevention labs blog entry - CWS
- SunbeltBlog
- F-Secure blog
- Malicious ActiveX Controls (Oreilly)
- Setting killbits (Microsoft - KB240797)
- Snort VRT sigs: SID 7985 and SID 7986, available since September 1st.
- JS/Exploit-BO.gen (McAfee)
- JS_PLOIT.BC (TrendMicro)
- Bloodhound.Exploit.83 (Symantec)
- Exploit.HTML.IESlice.a - Exploit.HTML.IESlice.c (Kaspersky)
- JS.CVE-2006-3730!exploit (CA)
- Sept. 30th diary
- Sept. 29th diary with tool to set the killbits
- Sept. 28th diary
(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
(**): There are currently no reports of side effects on other application when stopping this ActiveX control.
--
Swa Frantzen -- Section66
×
Diary Archives
Comments