Microsoft confirms critical hole in Webview
In a security advisory, Microsoft has confirmed the security problem reported yesterday pertaining to the ActiveX control WebViewFolderIcon. Specially prepared web sites could inject spyware or key loggers into the Windows systems of users of Internet Explorer.
However, as Microsoft has pointed out, the actual cause of the problem is an error in the Windows shell that is exposed via Webview. The Redmond company is working on a security update currently scheduled for release on the next patchday, October 10th. Until then, users will have to make do with workarounds, such as the setting of a kill bit (as already recommended by US-CERT) to prevent the execution of the control in Internet Explorer. As an alternative, the Internet Explorer ActiveX settings can be configured to "Prompt" or "Disable" or the security level for the Internet zone can be set to "high". We recommend referring to the heisec Browsercheck to improve the security of your Internet Explorer configuration. Microsoft's advisory does not mention that using another browser also protects against holes in ActiveX controls.
As there are now two critical IE holes -- the DirectAnimation hole remains to be patched -- users of IE truly have to be wary. There is even a Metasploit module for the Webview hole, which can be used to create very flexible exploits that antivirus software has a very hard time finding. We can expect organised criminals to rapidly deploy web sites to exploit this hole.
- Vulnerability in Windows Shell Could Allow Remote Code Execution, Microsoft's security advisory