NEWS FROM THE LAB - Sunday, October 1, 2006

Folder web view "Setslice" vulnerability Posted by Mikko @ 06:50 GMT

IFRAMECASHWindows allows you to view folders in a "web view", complete with thumbnails of files etc. Turns out this functionality has a vulnerability. This vulnerability can be exploited remotely via an ActiveX component in Internet Explorer. And now there's public exploit code available for this vulnerability. Over the last day or so, several malicious websites have inserted such code via IFRAMEs on their site.

You can't patch your systems, as no official patch is available. Microsoft has an advisory out, explaining how you can disable the vulnerable ActiveX component via a registry change.

We detect html files containing the exploit as "Exploit.HTML.IESlice.c". They are typically hidden with Javascript obfuscators, which we detect as "Trojan-Downloader.JS.Agent.ab" or similar. In the end, most of the exploits end up downloading binaries with names like "loaderadv499_3.exe" and so - detected by our last update as "Trojan-Downloader.Win32.Small.dib".

This thing is out there but we're really not seeing this in huge numbers.