Drive-by Exploit Plants Trojans onto Fully Patched Windows Systems Running IE
McAfee's Avert Labs have discovered a drive-by exploit on the Web that preys on fully patched Windows XP SP2 systems running IE 6 and 7 browsers. In preliminary tests, McAfee found that the IE/XP systems proved vulnerable to an attack that delivers a Trojan download in complete silence.
McAfee Avert Labs said on its site on Wednesday that its researchers had discovered the exploit posted to a message board. The posting described a proof of concept, but McAfee Avert Labs have since also received a malicious sample. "It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web," according to the Labs.
McAfee so far hasn't found Windows XP SP0 or SP1 to be vulnerable. Firefox 2.0 is also bearing up to the attack.
The vulnerability lies in the handling of malformed Windows animated cursor (.ani) files. The Avert Labs suggests that this vulnerability is reminiscent of a Microsoft security bulletin that went out in January 2005, MS05-002. In that instance, many versions of Windows were found to be critically vulnerable to remote code execution due to a problem with cursor and icon format handling.
McAfee hasn't offered any workaround to the unpatched vulnerability, although it does rate it as being of low risk to home or corporate users. The Avert Labs are tracking the exploit and will post more information as they find it.