Alerts
BOOKMARK THIS ALERT
digg
|
del.icio.us
|
reddit
newsvine
|
furl
|
technorati
Exploits of MS05-038 in the wild
Date:08.15.2005
Threat Type: Malicious Website / Malicious Code
Websense Security Labs™ has detected malicious websites that are exploiting the recently reported MS05-038 vulnerability (see the following article on the Microsoft website at: http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx).
Successful exploitation of this vulnerability allows the attacker to execute code of their choice on the workstation. At this time, malicious websites have been observed to exploit this vulnerability by downloading and running code on the end-user's machine.
The example site we have included below is hosted in Sweden, was up at the time of this alert, and is registered with fraudulent information. The site appears to be posing as a pharmaceutical website, which is becoming more commonplace. The attackers send out millions of SPAMS for a variety of miracle medical wonders and direct you to a fraudulent website in order to purchase them. Several cases of these have been found to be fraudulent sites that are capturing personal information for the purpose of identify theft and, in this case, are attempting to exploit systems though a new vulnerability within the browser.
The below site had encoded JavaScript at the bottom of the page that attempts to exploit the CLASSID: 4EFE2452-168A-11D1-BC76-00C04FB9453B (devenum.dll) vulnerable object in order to run shell code on the machine. Users who visit this site and do not have the patched version of Microsoft Internet Explorer will have their browser crash, as the implementation of the shell code within the site appears to be faulty. However, if the code was correctly entered, unprivileged access of the system could occur without user-intervention.
We expect to see additional exploits of MS05-038 in the near future, as it is very new and allows privileged access to the machine.
Web site screenshot:
