Limited Exploitation of Microsoft Security Advisory 961051

The MSRC released a security advisory yesterday about a vulnerability in Internet Explorer. Just like our colleagues at the MSRC, we're tracking the situation very closely as we've observed the vulnerability exploited in the wild, however within a relatively limited context. Virtually all the malicious sites we've seen taking advantage of the vulnerability thus far are hosted on a variety of Chinese domains.

According to the investigation thus far, the vulnerability affects Windows Internet Explorer on supported editions of Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. Have a look at Security Advisory 961051 for more up to date information about this issue.

We've added four definitions: Exploit:JS/Mult.AE, Exploit:JS/Mult.AF, Exploit:JS/Mult.AG, and Exploit:JS/Mult.AI to detect HTML pages that include exploits such as the ones we've observed so far. We've seen several hundred detections from countries around the world, so please be sure to update your definitions as soon as possible.

detection graph by country

Our telemetry indicates that this issue is impacting home and corporate users. Of the detections so far, the most prevalent file names of pages containing this exploit are: 7.htm, I7.htm, ie07.htm, msxml.htm, and ss.htm. 

The exploit sites we've seen so far drop a wide variety of malware-- most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack. We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground.

This issue could impact you even if you avoid surfing questionable sites. Over the past few months, we've seen a surge in SQL injection attacks which enable miscreants to inject content onto trusted sites (we even blogged about the technique a few months ago). This class of attack, along with other more classical forms of website intrusion mean that even trusted sites can end up serving malicious content causing you to get infected. For this reason, we cannot stress enough the importance of keeping your anti-malware definitions up to date as well as following the guidance on the "Protect Your PC" page, as well as the security advisory on this issue and the MSRC blog post.

-- Tareq Saade & Ziv Mador

Comments (0)

Skip to main content