Saturday, September 30, 2006

New ActiveX exploit out...

When SANS-ISC goes YELLOW, I try to pay attention.

They are reporting that the "WebViewFolderIcon" ActiveX setslice control exploit has been found in the "wild" and is spreading.

What does this mean? Well, if you hit certain websites (currently in the .biz) and haven't mitigated your machine, you could "at best" get infected with just a root-kit. At worst, that rootkit could do all kinds of bad mojo on your system--and any resources stored there.

Bad Mojo, kiddos.

No patch from Microsoft yet, but they have some initial info on it.

So what to do?

1) Some AV vendors are already picking up the exploit, but not all yet, at this time. Be sure to check your that your AV files are up to date.

2) SANS-ISC recommends running one of their killbit tools to unregister the control. Good advice from the security professionals at this early stage.

They have kindly prepared two versions, and exe and a command-line version.

I recommend the exe file. Run it and it unregister's the elements. Run it again and it puts them back into service. Do this before installing any future patches Microsoft may release.

3) Stop using Internet Explorer (which utilizes ActiveX) at least until a patch is released. Get Firefox.

4) Be careful not to browse to any .biz sites (but this may spread past that area...so not really helpful advice, I know).

Link to O'Reilly chapter on ActiveX controls and killbits. Interesting background info reading.

Sigh.
--Claus

No comments: