Recently, a DeepSight honeypot was compromised by a rogue websitethat served a variety of malicious scripts to users. From the dozens ofWeb sites that we investigate everyday, what makes this case special isthe fact that this is the first detected instance of in-the-wildexploitation of Microsoft Internet Explorer Speech API 4 COM ObjectInstantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly availableexploit released at milw0rm.com. The vulnerability lies in the way twoCOM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) andDirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. Themalicious attacker can instantiate these COM objects via InternetExplorer, and pass overly long arguments to certain routines. In thiscase, the exploit...
