The SANS Institute’s Internet Storm Center set its Internet danger warning level to “yellow” over the weekend as criminal gangs began targeting Internet Explorer browsers with an unpatched security hole.
Last week, security researcher H. D. Moore released proof-of-concept code demonstrating how a bug in the “setslice()” method in IE’s “WebViewFolderIcon” ActiveX control could be used to execute malicious code on a user’s system. Moore originally publicized the flaw in July, but at the time he only disclosed that it could be used to shut down the browser.
Over the weekend, two separate criminal groups began hacking into websites and message boards and rigging them to deploy code from remote servers that exploits the bug. The exploit servers attempt to plant several pieces of malicious code on users’ systems, including a program called CoolWebSearch that is notoriously difficult to remove, according to SANS.
SANS urged system administrators to take action as soon as possible. “The exploit is widely known, easy to recreate and is used on more and more websites,” the group said in an advisory. “The risk of getting hit is increasing significantly.”
Microsoft said it is aware of the problem, and recommended workarounds until a patch arrives on 10 October, as part of the company’s regular patch cycle. Users should install killbits that disable the control, according to Microsoft and SANS. SANS also urged administrators to consider asking their users to stop using IE for the time being.
Security company Determina issued a patch that fixes the problem, which has been endorsed by ZERT (Zeroday Emergency Response Team), a nonprofit group made up of well-known security researchers.
The root of the problem is with an integer overflow in a core Windows component called COMCTL32.DLL, which is used by many programs, researchers said. “The WebViewFolderIcon ActiveX control is most likely only one of the attack vectors for this vulnerability,” said Determina’s Alex Sotirov on the Full Disclosure mailing list.
Security experts said the escalation in attacks using the “setslice()” method were not the same as last week’s attacks that used a different IE flaw. Microsoft issued an emergency patch for that bug last week.