Update: On September 30,2006, Symantec Security Response received reports that theWebViewFolderIcon ActiveX control vulnerability is being activelyexploited in the wild.
Shortly following the out-of-band patch for the VML vulnerabilityearlier this week, Microsoft is releasing yet another out-of bandadvisory. The latest advisory, released today (September 29, 2006),addresses an ActiveX vulnerability in Microsoft Windows.
The vulnerability is a buffer overflow in the MicrosoftWebViewFolderIcon ActiveX control, which, if successfully exploited,will allow an attacker to perform remote code execution on the victimmachine. Failed attempts would likely result in browser crashes.Proof-of-concept exploit code is available publicly.
In order to carry out an attack, the attacker would need to employsome form of social engineering (such as emails, instant messages, orbanner ads) and try to convince potential victims to click on linksthat would lead them to malicious Web sites that contain craftedexploits against the vulnerabilty. Upon arriving at the malicious site,the victim's browser (Internet Explorer) would then process theWebViewFolderIcon object, thereby triggering the vulnerability andallowing the exploit to be executed.
Currently, there is no patch available for the WebViewFolderIconActiveX control vulnerability. However, according to Microsoft'sadvisory, the company anticipates having a patch available on October10, 2006.
In response to this vulnerability, Symantec has released newantivirus (AV) and intrusion prevention (IPS) security updates toproactively protect customers against possible exploit attempts againstthis vulnerability. Users are advised to ensure they have the latestsecurity updates installed; this will help them mitigate thevulnerability until a patch is available from Microsoft. Additionally,Symantec is advising that users should avoid clicking on links fromunknown or untrusted sources, as well as disable the execution ofscript code or active content in their IE browsers.