Second hole in IE also being actively exploited

Microsoft has just released its unscheduled patch to close the VML hole in Internet Explorer, and already there's a major problem with a second still open hole. It is related to a problem in the daxctle.ocx multimedia control for DirectAnimation, first reported two weeks ago. Beyond a proof-of-concept exploit that only functioned on Chinese Windows 2000 computers with certain preconditions, no other code had been publicly sighted capable of exploiting that hole, through which rigged websites could smuggle malware onto visitors' PCs. Secunia, a security service provider, stood alone in its claims of having developed an exploit in its labs capable of infecting completely patched Windows XP SP2 machines.

Sunbelt Software, an American manufacturer of security software, reports that this situation has now changed. As with the VML hole, websites are appearing on the net that can plant and launch the malicious code on Windows XP SP2 computers. Beyond calling up the site, no user interaction is required. Several greeting cards are also making the rounds on the net, in an attempt to lure users into visiting tainted websites, or simply redirecting them there. One page, identified by Sunbelt, redirects users from a porno site into areas of the net in which the VML exploit was also first discovered.

The new exploit uploads a forged version of the file svchost.exe onto the computer. A backdoor (%system%\hehesox.dll) also receives commands from the outside. Until patches are released, the only remedy is either, to completely deactivate ActiveX, or to individually turn off the affected controls. This is handled through what are known as kill bits. The heise Security Browsercheck shows how to set Internet Explorer to run more safely. Microsoft has published an advisory with specifics about the hole.

See also:

• Another zero day on the loose? keyframe (daxctle.ocx) exploit seen in the wild, blog entry from Sunbelt

(trk)