Several months ago, a vulnerability on Microsoft’s fully patched IE
has been found.This vulnerability can be exploited by a malicious
website and execute any file on the user’s machine who visited the
malicious website.
On November 22, 2005, we posted a blog entry regarding a POC for an
IE Zero-Day. A solution has so far been released and the
description posted on the same day for
JS_ONLOADXPLT.A.
And on November 29, 2005, Trend Micro received the first sample of
JS_WINDEXP.A that uses the zero-day vulnerability.
The said JavaScript program lurks on a two websites which download
files and executes them. These files are already detected by Trend
Micro as TROJ_DLOADER.AUS and TROJ_DELF.OP.
Current AV detections are still low (with others only having a
generic detection):
FileName : js_windexp.a/windexp-a.htm_
- TrendMicro : JS_WINDEXP.A
- MailTrap : NO_VIRUS
- Symantec : NO_VIRUS
- Kaspersky : Exploit.JS.CVE-2005-1790.a
- McAfee : JS/Exploit-BO.gen
- Sophos : NO_VIRUS
- Panda : Exploit/BodyOnLoad
- Alwil : NO_VIRUS
- GeCAD (RAV): NO_VIRUS
- CAI : NO_VIRUS
- CAV : NO_VIRUS
AV Descriptions:
Trend Micro :
JS_WINDEXP.A
McAfee :
JS/Exploit-BO.gen
Related links for Zero-Day exploit:
Microsoft
eWeek
Update (Ivan, 02 December 2005 12:35:30)
I’ve noticed that apparently, the guys
behind afris.biz is now back in business. The site hosted some
particularly hot malware codes back in April when the group
uploaded exploit codes that targeted MS05-002 (Vulnerability in
Cursor and Icon Format Handling Could Allow Remote Code
Execution).
Before, the malwares were in the likes of
TROJ_ANICMOO.F that downloads
TROJ_SMALL.AGP, also a downloader that downloads another trojan
of the DELF family.
Now, as we can see, the group now is coming out in a much earlier
period before any MS patch release of an IE vulnerability. The site
now is hosting
JS_WINDEXP.A, downloading pretty much the same kind of
second-wave downloaders.
AVs must be able to speed up solutions here… it is still a way
too long a time and window before the expected MS patch!
behind afris.biz is now back in business. The site hosted some
particularly hot malware codes back in April when the group
uploaded exploit codes that targeted MS05-002 (Vulnerability in
Cursor and Icon Format Handling Could Allow Remote Code
Execution).
Before, the malwares were in the likes of
TROJ_ANICMOO.F that downloads
TROJ_SMALL.AGP, also a downloader that downloads another trojan
of the DELF family.
Now, as we can see, the group now is coming out in a much earlier
period before any MS patch release of an IE vulnerability. The site
now is hosting
JS_WINDEXP.A, downloading pretty much the same kind of
second-wave downloaders.
AVs must be able to speed up solutions here… it is still a way
too long a time and window before the expected MS patch!
Update (Ivan, 02 December 2005 12:57:51)
Suggested workarounds (from SANS at
isc.sans.org):
-snip-
1) Be vigilant. Know that a patch will be
forthcoming hopefully within the next 2 weeks and be ready to
deploy quickly.
2) If your organization can operate with one of the workarounds
Microsoft has mentioned in KB911302, then I recommend mitigating
your risk as much as possible. We all have at least one person who
is a little too…uhm…liberal with browsing the Internet on
company time. Think about it, that very person is probably shopping
for Christmas* presents right now on less-than-secure sites.
SO….I would suggest doing those workarounds to that computer
first. :-)
-snip-
More at ISC.
isc.sans.org):
-snip-
1) Be vigilant. Know that a patch will be
forthcoming hopefully within the next 2 weeks and be ready to
deploy quickly.
2) If your organization can operate with one of the workarounds
Microsoft has mentioned in KB911302, then I recommend mitigating
your risk as much as possible. We all have at least one person who
is a little too…uhm…liberal with browsing the Internet on
company time. Think about it, that very person is probably shopping
for Christmas* presents right now on less-than-secure sites.
SO….I would suggest doing those workarounds to that computer
first. :-)
-snip-
More at ISC.