Windows Shell Vulnerability Is Being Actively Exploited

H.D. Moore discovered a vulnerability in the Windows Shell that could allow a remote intruder to execute arbitrary code on an affected system. The vulnerability is in the WebViewFolderIcon ActiveX control, and an exploit has been published. The problem is known to affect Microsoft Internet Explorer (IE) 6.0 and Microsoft Windows XP SP2; other platforms might be affected.

Microsoft is aware of the problem and is investigating the matter. The company published an advisory, "Microsoft Security Advisory (926043) Vulnerability in Windows Shell Could Allow Remote Code Execution," and said that Windows Server 2003 (with or without SP1) systems that are using default configurations and with Enhanced Security Configuration turned on aren't affected.

A spokesperson for eEye Digital Security said that the flaw resides in the DSA_SetItem function in comctl.dll library file. The company added that "over the weekend \[of September 2nd\] it was discovered that this vulnerability is an exploitable integer overflow allowing for remote code execution. Reports were made of exploit code being released by criminal groups who have used the flaw to start hacking into websites and message boards. These groups appear to be leveraging \[the vulnerability\] to compromise users' systems and to gain access to systems and personal data."

A module for H.D. Moore's popular penetration testing tool, Metasploit, has been released. eEye said that exploits using the module are taking place in the wild on the Internet.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.