A vulnerability in Microsoft’s XML HTTP request handling can be exploited via an ActiveX control through a Web browser — specifically Internet Explorer — according to IBM’s Internet Security Systems, which claims to have originally identified the flaw. The vulnerability, which is currently being leveraged by spyware producers to install malware on exposed computers, is unpatched and active in the wild, said Gunter Ollmann, Director of X-Force for IBM Internet Security Systems.
“The spyware can be accessed through various means, but most local exploitations [are] being done through Internet Explorer,” he told TechNewsWorld.
What is happening, Ollmann went on to explain, is that PCs are becoming infected when users visit certain Web sites that have been set up precisely for that purpose. Spam messages that employ social engineering techniques are delivering a steady stream of unsuspecting victims to these sites, he said.
ISS is working with Microsoft to disable the Web pages, he added. He declined to provide the sites’ URLs.
Core XML Engines
The vulnerability resides in some of the core XML engines withinMicrosoft Windows, according to the alert, specifically Microsoft XML Core Services 4.0 when installed on Windows 2000 Service Pack 4, Windows XP Service Pack 2, or Windows Server 2003 — the latter with or without Service Pack 1.
Conceivably, third-party applications, such as a worm, could make use of the vulnerable request object.However, X-Force said it believes there are such specific requirements for triggering the vulnerablecondition that it is most likely exploitable only via a Web browser.
“An attacker may host a maliciously crafted HTML document on a Web site and entice the victim to click on a link, which will load the document in their browser,” the ISS states in its alert. “Once the document is loaded, the attacker will be able to execute arbitrary code on the victim’s machine with the permissions of the victim user.”
Spyware Attacks on the Rise
This is the second instance this month in which a spyware manufacturer has tried to distribute amalicious payload, Ollmann noted. “We are finding that there have been a number of commercial organizations set up recently to distribute this type of exploit material and sell it to spyware producers,” he said.
He doesn’t know which firm or firms are behind the activity — he only knows that their malware is “out there in the wild and there is no patch.”