Hackers exploit another unpatched IE bug

The SANS Institute’s Internet Storm Center set its Internet danger warning level to “yellow” over the weekend as criminal gangs began targeting Internet Explorer browsers with an unpatched security hole.

Last week, security researcher H. D. Moore released proof-of-concept code demonstrating how a bug in the “setslice()” method in IE’s “WebViewFolderIcon” ActiveX control could be used to execute malicious code on a user’s system. Moore originally publicized the flaw in July, but at the time he only disclosed that it could be used to shut down the browser.

Over the weekend, two separate criminal groups began hacking into websites and message boards and rigging them to deploy code from remote servers that exploits the bug. The exploit servers attempt to plant several pieces of malicious code on users’ systems, including a program called CoolWebSearch that is notoriously difficult to remove, according to SANS.

SANS urged system administrators to take action as soon as possible. “The exploit is widely known, easy to recreate and is used on more and more websites,” the group said in an advisory. “The risk of getting hit is increasing significantly.”

Microsoft said it is aware of the problem, and recommended workarounds until a patch arrives on 10 October, as part of the company’s regular patch cycle. Users should install killbits that disable the control, according to Microsoft and SANS. SANS also urged administrators to consider asking their users to stop using IE for the time being.

Security company Determina issued a patch that fixes the problem, which has been endorsed by ZERT (Zeroday Emergency Response Team), a nonprofit group made up of well-known security researchers.

The root of the problem is with an integer overflow in a core Windows component called COMCTL32.DLL, which is used by many programs, researchers said. “The WebViewFolderIcon ActiveX control is most likely only one of the attack vectors for this vulnerability,” said Determina’s Alex Sotirov on the Full Disclosure mailing list.

Security experts said the escalation in attacks using the “setslice()” method were not the same as last week’s attacks that used a different IE flaw. Microsoft issued an emergency patch for that bug last week.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now