The WebViewFolderIcon setSlice vulnerability, which began circulating over the weekend, affects multiple versions of Microsoft Windows. This flaw is being exploited by hackers to plant code on vulnerable systems by targeting a Windows shell vulnerability. The initial report was made on July 18, 2006; however, over the weekend it was discovered that this vulnerability is an exploitable integer overflow allowing for remote code execution. Reports were made of exploit code being released by criminal groups who have used the flaw to start hacking into websites and message boards. These groups appear to be leveraging the Internet Explorer bug to compromise users’ systems and to gain access to systems and personal data.
The eEye Research Team has given this vulnerability a “Critical” rating, as the vulnerability can result in remote code execution in the context of the logged-in user. In order to exploit this, an attacker must create a malicious website or leverage an existing website that allows for custom user content. For technical details on this flaw, please see the eEye Research alert published by the world-renowned eEye Research Team.
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
As a workaround before a patch is released for this vulnerability, you may disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry. Set the killbit on the following CLSID:
Full workaround directions are provided in the following Microsoft Advisory:
To read the full details on this alert, please visit eEye Research Advisory.