Australia's Leading Computer Emergency Response Team

Active Exploitation of...
Date: 28 July 2008
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=9642


Hi all,

In regards, to the RealNetworks Realplayer Advisory we published today, we discovered emails containing javascript which refer to external websites that actively exploit the vulnerability.

http://www.auscert.org.au/render.html?it=9640

We strongly advise that JavaScript in Email readers be disabled. We also recommend setting the kill bit for the following CLSIDs.

CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA
0FDF6D6B-D672-463B-846E-C6FF49109662
224E833B-2CC6-42D9-AE39-90B6A38A4FA2
2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
3B46067C-FD87-49B6-8DDD-12F0D687035F
3B5E0503-DE28-4BE8-919C-76E0E894A3C2
44CCBCEB-BA7E-4C99-A078-9F683832D493
A1A41E11-91DB-4461-95CD-0C02327FD934
CFCDA953-8BE4-11CF-B84B-0020AFBBCCFA

Here is a block of text that you can save as a .REG file and merge with your registry to set the kill bits. 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0FDF6D6B-D672-463B-846E-C6FF49109662}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{224E833B-2CC6-42D9-AE39-90B6A38A4FA2}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3B46067C-FD87-49B6-8DDD-12F0D687035F}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3B5E0503-DE28-4BE8-919C-76E0E894A3C2}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44CCBCEB-BA7E-4C99-A078-9F683832D493}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A41E11-91DB-4461-95CD-0C02327FD934}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CFCDA953-8BE4-11CF-B84B-0020AFBBCCFA}]
"Compatibility Flags"=dword:00000400

Regards,

Zane