Several months ago, a vulnerability on Microsoft’s fully patched IE
has been found.This vulnerability can be exploited by a malicious
website and execute any file on the user’s machine who visited the
malicious website.
On November 22, 2005, we posted a blog entry regarding a POC for an
IE Zero-Day. A solution has so far been released and the
description posted on the same day for
JS_ONLOADXPLT.A.
And on November 29, 2005, Trend Micro received the first sample of
JS_WINDEXP.A that uses the zero-day vulnerability.
The said JavaScript program lurks on a two websites which download
files and executes them. These files are already detected by Trend
Micro as TROJ_DLOADER.AUS and TROJ_DELF.OP.
Current AV detections are still low (with others only having a
generic detection):
FileName : js_windexp.a/windexp-a.htm_
- TrendMicro : JS_WINDEXP.A
- MailTrap : NO_VIRUS
- Symantec : NO_VIRUS
- Kaspersky : Exploit.JS.CVE-2005-1790.a
- McAfee : JS/Exploit-BO.gen
- Sophos : NO_VIRUS
- Panda : Exploit/BodyOnLoad
- Alwil : NO_VIRUS
- GeCAD (RAV): NO_VIRUS
- CAI : NO_VIRUS
- CAV : NO_VIRUS
AV Descriptions:
Trend Micro :
JS_WINDEXP.A
McAfee :
JS/Exploit-BO.gen
Related links for Zero-Day exploit:
Microsoft
eWeek
Update (Ivan, 02 December 2005 12:35:30)
behind afris.biz is now back in business. The site hosted some
particularly hot malware codes back in April when the group
uploaded exploit codes that targeted MS05-002 (Vulnerability in
Cursor and Icon Format Handling Could Allow Remote Code
Execution).
Before, the malwares were in the likes of
TROJ_ANICMOO.F that downloads
TROJ_SMALL.AGP, also a downloader that downloads another trojan
of the DELF family.
Now, as we can see, the group now is coming out in a much earlier
period before any MS patch release of an IE vulnerability. The site
now is hosting
JS_WINDEXP.A, downloading pretty much the same kind of
second-wave downloaders.
AVs must be able to speed up solutions here… it is still a way
too long a time and window before the expected MS patch!
Update (Ivan, 02 December 2005 12:57:51)
isc.sans.org):
-snip-
1) Be vigilant. Know that a patch will be
forthcoming hopefully within the next 2 weeks and be ready to
deploy quickly.
2) If your organization can operate with one of the workarounds
Microsoft has mentioned in KB911302, then I recommend mitigating
your risk as much as possible. We all have at least one person who
is a little too…uhm…liberal with browsing the Internet on
company time. Think about it, that very person is probably shopping
for Christmas* presents right now on less-than-secure sites.
SO….I would suggest doing those workarounds to that computer
first. :-)
-snip-
More at ISC.
続きを読む