FW: NEWSBANK :: Active Exploitation of CVE-2010-0806

-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Wednesday, March 31, 2010 10:05:18 AM
To: Newsbank
Subject: NEWSBANK :: Active Exploitation of CVE-2010-0806
Auto forwarded by a Rule

Tuesday, March 30, 2010 1:00 PM by mmpc

Active Exploitation of CVE-2010-0806

On March 9, Microsoft started investigating reports of targeted attacks using a previously undisclosed vulnerability (CVE-2010-0806) affecting Internet Explorer 6 and 7 (Internet Explorer 8, Windows 7, and Windows Server 2008 R2 are not susceptible).  As a member of the Microsoft Active Protections Program (MAPP), the MMPC and other members received information about the vulnerability and immediately deployed protection for our customers.  We’ve been tracking exploit attempts against this vulnerability since then, working with MSRC to monitor the state of attacks.

When proof-of-concept code became available in public exploit testing tools on March 10 and by March 12, the attack landscape escalated.  Mitigating signatures providing protection for this issue are: Exploit:JS/CVE-2010-0806 and Exploit:JS/Mult.CR.  These signatures protect customers through Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform.

Targets have spanned over 50 countries, but the most frequently targeted computers have been in China and Korea, with the US trailing a distant third place:

Unprotected users are susceptible to infection when they browse to a malicious Web page that attempts to exploit this vulnerability.  If the exploit is successful, a number of malware families may be installed on the victim’s computer.  The majority of malware downloaded after a successful exploit  are trojans.

Some of the variants we have seen are:

Trojan:Win32/Wisp

TrojanDropper:Win32/Lisiu

TrojanDropper:Win32/Agent.gen!I

TrojanDownloader:Win32/Small.gen!AZ

Backdoor:Win32/Agent.FS

TrojanDropper:Win32/Frethog

Like the lifecycle of most vulnerabilities, we expect the threat landscape to mellow with the release and adoption of updates and protection.  We encourage you to apply Microsoft Security Bulletin MS10-018 as soon as possible and install an anti-virus solution, such as Microsoft Security Essentials, to protect yourself from these threats. You can also get free virus-related assistance from Microsoft through Microsoft Help and Support.

-Holly Stewart, MMPC

Filed under: research

 

http://blogs.technet.com/mmpc/archive/2010/03/30/active-exploitation-of-cve-2010-0806.aspx

 

 

Juan Pablo Castro | xSP, Latin America Region Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437