0 Replies Latest reply on Jul 14, 2009 4:08 PM by HarryWaldron

    Internet Explorer - Office Web based exploits in-the-wild

      The ISC is highlighting these zero-day attacks with a rare "Yellow Status" condition for 24 hours, as more active use in-the-wild may be occurring. AV protection is emerging and users should stay be careful in accessing unusual websites presented to them in searches, email, IM, or other sources until this is patched.

      Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
      http://isc.sans.org/diary.html?storyid=6778
      http://isc.sans.org/diary.html?storyid=6787
      http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.h tml
      http://www.sophos.com/blogs/gc/g/2009/07/13/day-vulnerability-microsoft-owc-disc overed/
      http://www.sophos.com/blogs/sophoslabs/v/post/5320

      QUOTE: Attack vectors used to exploit this vulnerability

      1.The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.

      2.A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.

      3.A highly targeted attack against an organization earlier today who received a
      Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.

      IE zero-day domains to avoid
      http://isc.sans.org/diary.html?storyid=6739

      Microsoft Advisory 973472
      http://www.microsoft.com/technet/security/advisory/973472.mspx

      Exploit-CVE2009-1136 -- McAfee protection emerging (DAT 5676)
      http://vil.nai.com/vil/content/v_179225.htm