Alerts
BOOKMARK THIS ALERT
digg
|
del.icio.us
|
reddit
newsvine
|
furl
|
technorati
Zero-day IE Exploit Update II
Date:12.07.2005
Threat Type: Malicious Website / Malicious Code
This is a follow-up to alert: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=347, which outlined a new zero-day exploit for Internet Explorer for which no patch is currently available.
Websense® Security Labs™ has started to detect numerous websites, which are actively exploiting this vulnerability to execute malicious code. Visiting one of the malicious websites with an unpatched version of Internet Explorer is enough to compromise the user's workstation. The websites discovered so far are using the vulnerability to install potentially unwanted software without the end-user's consent. In the example screenshots below, a fully-patched XP workstation visits a malicious website and is immediately infected. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware.
The malicious code that is installed also connects to a website hosted in the .biz domain and downloads and runs more than 10 additional programs. The site within the .biz domain is also hosting more than 10 different files with exploit code within them to run software on a user's machine without consent. To date, we have classified thousands of websites, which are connecting to this site within an IFRAME and attempting to exploit users via HTA, CHM, and other IE vulnerabilities.
The infected website appears to have been compromised and is hosted in the United States.
There is currently no patch available. Details are available from the Microsoft Website:
http://www.microsoft.com/technet/security/advisory/911302.mspx
Desktop background changed:
Potentially Unwanted Software Installed and Launched:
