It’s been more than two months since H.D. Moore released a number of browser-related bugs which he coined as “Month of Browser Bugs” (MoBB) and just a couple of hours today, he added a new module to Metasploit3 which is actually an enhanced version of MoBB #18. The previous exploit can just cause Denial of Service (DoS) to the affected browser but this new release which was added as a module to the Metasploit Framework 3 can cause Remote Code Execution even on a fully patched Windows XP SP2 system (that’s why it is called 0-day :D).
The vulnerability was caused by an overflow when calling the setSlice() method of an ActiveX Object, WebViewFolderIcon, by setting the first argument to 0x7ffffffe.
As of the moment, we have not found any in-the-wild sample of this exploit but since the module is already publicly posted in the internet, we might not get surprised if we find one. That is why we are on a lookout if some malicious authors use this on the internet for his own malicious intent. However, since it is already a Metasploit Framework module, we have come up for a Proof-of-Concept exploit sample to proactively create Trend solutions.
Since, this is also based on ActiveX Object, disabling Active Scripting can be a good workaround.
How to Disable Active Scripting in the Internet and Local intranet security zones
- In Internet Explorer, click Internet Options on the Tools menu
- Click the Security tab
- Click Internet, and then click Custom Level
- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK
- Click Local intranet, and then click Custom Level
- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK
- If you are prompted to confirm that you want to change these settings, click Yes
- Click OK to return to Internet Explorer
Others
Update (Jessie Paz, Thu, 28 Sep 2006 08:12:10 AM)
The Proof-of-Concept exploit sample was given the detection name HTML_IESLICE.A.