This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects attempts to exploit a vulnerability in Microsoft Internet Explorer which allows an attacker to execute files in known locations on a victim host.
A vulnerability has been reported that may potentially permit HTML documents to gain unauthorized access to local resources by using specific syntax when referencing said resource as a value for the CODEBASE object property. Under certain conditions, this could be exploited to reference executable content on the victim system.
In particular, by pre-pending two backslash characters (\) to the resource path, it may be possible to invoke the resource. This presents a security weakness because various vendor-supplied updates have implemented measures to prevent invocation of certain resources from within an HTML document, even in situations where the HTML document is being interpreted in the context of the Local Zone. The described syntax will reportedly evade any additional security measures provided by said updates.
This works if the resource is invoked from the Local Zone, so other vulnerabilities are required to bypass Zone restrictions and cause malicious content to be executed in the Local Zone. BIDs 9658, 9320, 9105, and 9107 could all theoretically be exploited in combination with this issue, potentially allowing for execution of arbitrary code on the client system, if properly exploited.
Note: This BID initially included a proof-of-concept that was published by Roozbeh Afrasiabi that caused a .CHM file to be referenced from the Internet Zone. Further research has determined that this is a new, distinct vulnerability and BID 10348 has been created to describe this issue.
- Microsoft Internet Explorer 6.0, 6.0 SP1
Upgrade to the latest version of Microsoft Internet Explorer and apply all available patches.