Active exploitation of a cross-zone privilege escalation vulnerability in Internet Explorer has been observed. This vulnerability is exploited to install spyware-like malicious applications on target systems. Web-sites are being actively compromised using the PCT1 overflow vulnerability. Web-browsing users are then compromised when visiting these web-sites which have been modified to serve malicious content.
Microsoft has released an update for Windows which disables the ADODB.Stream functionality within Internet Explorer. This removes one of the attack vectors for this vulnerability. However, additional attack vectors have been uncovered which are not addressed by this update. These attack vectors utilize the Application.Shell functionality within Internet Explorer to the same affect observed previously.
ISS will update this alert when protection becomes available for the Application.Shell vulnerability. ISS is now able to provide a custom protection rule that covers these additional exploitation vectors not addressed by the Microsoft update. ISS technical support can provide all customers with this protection capability. Please contact your support representative.
Business Impact:
Successful exploitation can be leveraged to gain complete control over target systems, and may lead to spyware installation. This can result in exposure of confidential information, loss of productivity, further network compromise, and expenditures of business resources to sanitize compromized systems.
Affected Products:
Internet Explorer 6 with all updates (July 8, 2004).
Description:
X-Force is aware of active exploitation of a cross-zone privilege escalation vulnerability in Internet Explorer via a known vulnerability leveraging the ADODB.Stream() and similar functionality in the browser. Customers who have applied the operating system patch from Microsoft associated with KB 870669 are likely still vulnerable to exploitation,
although the most common exploit vector will have been disabled.
Exploitation is being further facilitated by compromises of web-servers using an overflow in the Microsoft SSL library PCT 1.0 processing detailed in an X-Force advisory in April. Compromised web-servers are modified to serve malicious content via Javascript included in HTTP footers. As such, any request for content from a modified server will
result in exploitation of a vulnerable IE browser.
The IE vulnerability is being actively exploited to install various pieces of spy/malware. X-Force has observed the installation of software that attempts to gather credit card information and credentials for online retailers, logs keystrokes, and redirects requests to popular search engines. Exploit attempts have been observed and are being actively blocked in the wild.
We recomend you read more on the Internet Security Systems website