Massive exploitation of the Webview hole
The Internet Storm Center has raised its alarm level to yellow because of the now widespread use of this recently publicized exploit to propagate spyware, rootkits, and key loggers. This is happening, not only on dubious sites, but also on harmless seeming sites, where invisible IFrames transform them into malware propagators.
An error in the Windows shell can be used to inject and execute code, via the ActiveX control WebViewFolderIcon, if the web site is viewed in Internet Explorer. As Microsoft has yet to provide a patch, the only way that users can protect themselves is by preventing the execution of the ActiveX control. There are several ways to do that:
- Alternative browsers, such as Firefox and Opera, do not execute any ActiveX controls.
- Internet Explorer can either, be set for "high" security so it doesn't execute ActiveX controls or, ActiveX controls can be completely disabled.
- "Kill bits" in the Windows Registry prevent the WebViewFolderIcon from being called in Internet Explorer. Microsoft describes this in its security advisory. The Internet Storm Center provides some small programs that make these settings. Network administrators can take care of this via a group policy. These changes should be reversed before the patch, expected to be released on October 10, is installed.
In addition to the problem with Webview, two additional zero day holes both currently without patches, are being actively exploited: one of them is in the ActiveX control for DirectAnimation; the other, is in PowerPoint. However according to Lennart Wistrand in his entry in the Microsoft Security Response Center's blog, these holes are not being exploited to nearly such a great extent.