OWC ActiveX Exploit Follows MPEG2TuneRequest’s Lead

Barely a few days after the last Microsoft zero-day exploit and out comes another, this time attacking vulnerabilities in the OS’s Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC 11). As if on cue for the next round of Patch Tuesday releases, the cybercriminals also released their own “updates” with this attack.
“This vulnerability could be used for remote code execution in a ‘browse and get owned’ scenario,” says Microsoft, “but requires user interaction since a user needs to go to a malicious website that hosts the exploit to become infected.” Users need not fear, however, as Microsoft has released an advisory containing further information on this exploit. It also released information on how users can tell if their systems are vulnerable to this attack in a blog post.
Trend Micro Research Manager, Ivan Macalintal, says that the exploit appears to be using script fragmentation—the same tactic used in a previous zero-day mass Web compromise. He adds that the parts of the whole malicious script may not necessarily be malicious per se. However, when combined, the outcome—a full working exploit—can prove disastrous.
Users who visit malicious sites using vulnerable Internet Explorer browsers run the risk of automatically getting infected. The JavaScript detected as JS_SHELLCODE.BH automatically runs on vulnerable browsers unless the ActiveX control is disabled. Once executed, says Trend Micro Threat Analyst, (continue reading...)