The ActiveX-based exploit is widely known, easy to re-create, and used on an increasing number of sites, according to one security alert.
Microsoft said it is working overtime to fix a flaw in Windows that a security company noted on Monday could soon be used by as many as 600 malicious Web sites.
Multiple versions of exploit code for the vulnerability in the "WebViewFolderIcon" ActiveX control -- also dubbed the "setslice" bug by some security organizations -- has been spotted on the Web, said the SANS Institute's Internet Storm Center Monday. ISC raised its Internet threat status warning to "Yellow" on Friday to account for the spreading code.
"The exploit is widely known, easy to recreate, and used on more and more websites," the ISC alert read. "The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove." (CoolWebSearch is an adware package that tracks users movements on the Web that one anti-spyware vendor warns to "handle with care!")
San Diego-based Websense has spotted the new exploit being used on a few of the sites collectively known as "IFRAME Cash," the term taken from iframecash.biz that describes affiliates which push unpatched exploits to a large number of other Web sites.
"The fact that they are using the exploit code poses a significant risk due because their ability to attract users to sites via search engines and e-mail spam campaigns," Websense warned. "We have more than 600 active sites that have IFRAME cash-placed code on them. This does not mean that all sites have the recent zero-day code but it does mean that they potential to because they mostly point back to main 'hub servers,'" the alert continued.
Other researchers also sounded the alarm bell. "[These people] like to hack into completely innocent sites, and install an IFRAME, thus turning them into unwitting lures," wrote Roger Thompson, chief technology officer at Exploit Prevention Labs, in a blog entry. "And they like to find bulletin boards that are open enough for them to insert their IFRAME."
Microsoft said it was pushing for a patch. "We are working overtime to help get all of you more secure," said Lennart Wistrand, a program manager at the company's Security Response Center (MSRC), in an entry written late Friday.
Although the Redmond, Wash. developer has not issued a fix -- it's shooting for Oct. 10 -- the independent Zeroday Emergency Response Team (ZERT) has produced an unsanctioned patch that should stymie attacks. ZERT, which first popped into the news Sept. 22 when it beat Microsoft to the VML fix punch by 4 days, has updated its ZProtector framework to account for the new vulnerability. The fix can be downloaded from here.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.