IE 7 Exploit Reloaded: The new face of Drive-by Attacks using Doc files
Wednesday December 17, 2008 at 4:20 am CST
Posted by Rahul Mohandas
Recently we blogged about an unpatched Internet Explorer 7 exploit in the wild. With the vulnerability information made public, McAfee Avert Labs has noticed a spike in the number of active websites hosting this exploit. Lately we are seeing customized versions of the IE 7 exploit with varying degrees of obfuscation.
Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out to an unsuspecting user.
Upon opening the word document the embedded ActiveX control with the following classid is instantiated and executed.
- {AE24FDAE-03C6-11D1-8B76-0080C744F389}
This control stores configuration data for the policy setting Microsoft Scriptlet Component.
The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file.
Microsoft has issued workarounds to block known IE 7 exploit attack vectors. We want to reiterate to all our readers to be vigilant and cautious while opening unknown Doc files or visiting dubious websites, while we continue to monitor the threat and protect our customers against the menace .
December 17th, 2008 at 11:45
MS has got to get rid of ActiveX! Clearly MS is incapable of making the technology safe (or they would have accomplished that after all of these years of trying)! And, whay in the heck does MS install (and worse…require) browsers on servers anyway? There should never be a browser installed on a server device!
December 17th, 2008 at 18:04
[...] by the minute. The researchers at McAfee’s AVERT Labs report that they have been seeing exploits using Word documents to download and install malicious ActiveX controls on user machines. Upon opening the word document [...]
December 19th, 2008 at 08:43
>This control stores configuration data for the policy setting Microsoft Scriptlet Component.
What does this mean? This GUID appears to represent the scriptlet component itself.
The Scriptlet component itself is based on IE, so when you patch IE, it is patched. So if you install the IE patch, then Word is protected. So why both attacking Word instead of just attacking directly through IE?
December 20th, 2008 at 11:58
[...] McAffee’s Avert Labs blog reported on December 17th that Microsoft Word is now being used by malware writers to get the latest Internet Explorer exploit on unsuspecting user’s computers. Once the document is opened, it causes a request to a server hosting this exploit to download and run the exploit without ever asking your permission. Be careful opening email attachments — this exploit might not be found by software you use to scan files for malware because the malware isn’t actually present in the file. [...]
December 31st, 2008 at 06:24
[...] late yesterday, affecting IE 5.01-IE 7 and plugging up holes allowing for remote code execution. McAfee’s Rahul Mohandas says this exploit has been used for a popular new drive-by attack using document [...]
January 4th, 2009 at 05:48
[...] 7 Exploit Reloaded: The new face of Drive-by Attacks using Doc files – editors comment: A great example of the dangers [...]
January 5th, 2009 at 11:43
[...] by the minute. The researchers at McAfee’s AVERT Labs report that they have been seeing exploits using Word documents to download and install malicious ActiveX controls on user machines. Upon opening the word [...]
February 17th, 2009 at 15:22
[...] the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December [...]
February 18th, 2009 at 10:36