07/14/2009
web is ready for zero day office attacks
Metasploit the number one tool used by script kiddies and scamnetwork architects alike has released a module for their users to exploit the vulnerability as easily as possible.
Several other sites have also released javascript or html code to use.
Two listings of sites that are actively exploiting the vulnerability have been published on security alerts (see above) You should block these
You should think about blocking the .cn domain altogether if you are not from China or has no business there.
There is a module for snort with which you can discover this malware traffic on your network.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX1 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778"; flow:from_server, established; content:"0002E559-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E559-0000-0000-C000-000000000046/si"; classtype:attempted-user; sid:1000099; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX2 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778"; flow:from_server, established; content:"0002E541-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E541-0000-0000-C000-000000000046/si"; classtype:attempted-user; sid:1000101; rev:1;)
http://isc.sans.org
You should also use the automatic fixit tools from Microsoft as explained beneath and follow the new information as it flows in into the internet storm center
10:22 | Permalink | Comments (0) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Post a comment