Ocw Activex Exploit Follows Mpeg2tunerequest’s Lead

[Peaches]

Jul14

OCW ActiveX Exploit Follows MPEG2TuneRequest’s Lead

11:13 pm (UTC-7) | by Det Caraig (Technical Communications)

Barely a few days after the last Microsoft zero-day exploit and out comes another, this time attacking vulnerabilities in the OS’s Office Web Components Spreadsheet ActiveX control (OCW 10 and OCW 11). As if on cue for the next round of Patch Tuesday releases, the cybercriminals also released their own “updates” with this attack.

““This vulnerability could be used for remote code execution in a ‘browse and get owned’ scenario,” says Microsoft, “but requires user interaction since a user needs to go to a malicious website that hosts the exploit to become infected.” Users need not fear, however, as Microsoft has released an advisory containing further information on this exploit. It also released information on how users can tell if their systems are vulnerable to this attack in a blog post.

Trend Micro Research Manager, Ivan Macalintal, says that the exploit appears to be using script fragmentation—the same tactic used in a previous zero-day mass Web compromise. He adds that the parts of the whole malicious script may not necessarily be malicious per se. However, when combined, the outcome—a full working exploit—can prove disastrous.

Users who visit malicious sites using vulnerable Internet Explorer browsers run the risk of automatically getting infected. The JavaScript detected as JS_SHELLCODE.BH automatically runs on vulnerable browsers unless the ActiveX control is disabled. Once executed, says Trend Micro Threat Analyst, Jessa De La Torre, the script enables the download of TROJ_DLOADER.DOF, which drops a rootkit (TROJ_ROOTKIT.DOF), then downloads the Trojans TROJ_DLOADR.UIG and TROJ_INJECT.AKI. TROJ_DLOADR.UIG downloads roughly a hundred files from a certain URL, posing the risk of infection to a lot more malware.

More at trendmicro - http://blog.trendmicro.com/