Crime Rings Target IE SetSlice Flaw; ZProtector Released

In-the-wild exploits against the latest unpatched Windows vulnerability have started circulating, prompting security research groups to ship temporary protection mechanisms.

In-the-wild exploits against the latest unpatched Windows vulnerability have started circulating, using Internet Explorer as the attack vector to load identity theft Trojans and rootkits on infected machines.

The exploits target a Windows Shell vulnerability that was first released during HD Moores Month of Browser Bugs project in July and is being launched by a known cyber-crime organization operating out of Russia, according to virus hunters tracking the threat.

Microsoft has released an advisory with pre-patch workarounds and said an official update is on tap for delivery on Oct. 10.

The attack uses IE to trigger an integer overflow error in the "setSlice()" method in the "WebViewFolderIcon" ActiveX control. Microsoft recommends that IE users disable attempts to instantiate the ActiveX control by setting the kill bit for the control in the registry.

According to Exploit Prevention Labs, an Atlanta-based company that provides zero-day protection tools, two separate online crime groups are hacking into legitimate Web sites and message boards and quietly planting a malicious HTML tag called an iFrame on the site.

When a Web surfer visits the maliciously rigged site, the browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the users computer.

"These guys have a huge network of lures drawing traffic in from legitimate search engines," says Roger Thompson, chief technical officer at Exploit Prevention Labs.

The iFrame exploit technique has spawned a lucrative business for underground hackers. The groups use an affiliate model that offers cash for Web site owners who use the iFrame code. In one known case, at, the so-called affiliate program pays 55 cents per install or $55 for 1,000 unique installs of a 3KB program that "changes the homepage and installs toolbar and dialer."

The escalation of the latest attacks, which comes just a week after the VML exploits that also targeted IE users, has prompted the release of another batch of third-party fixes from security researchers.

Determina, in Redwood City, Calif., has shipped a run-time fix for the vulnerability. It can be applied to Windows 2000, Windows XP and Windows 2003 systems, and patches the vulnerable code in memory, without modifying any files on disk.

The non-profit ZERT (Zeroday Emergency Response Team) has endorsed the Determina patch. The group has also released a patch called ZProtector that automates Microsofts recommended mitigation for Windows users.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.