Cybercrooks have started exploiting a flaw in the Windows Shell only days after sample attack code for the vulnerability surfaced. Web sites that exploit the vulnerability are popping up and attempt to load malicious software onto vulnerable Windows PCs in a way that is undetectable to users, experts said.
"There are professionals at work using the exploit code," security firm Websense said in an alert. The miscreants taking advantage of the flaw appear to be part of the same group that in December used another Windows flaw to hoist spyware onto PCs, Websense said. That flaw stemmed from the way Windows handled Windows Metafile, or WMF images.
Microsoft warned of the Windows Shell flaw on Thursday. The flaw affects Windows 2000, Windows XP and Windows Server 2003, and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said. Windows Shell is the part of the operating system that presents the user interface.
"The fact that they are using the exploit code poses a significant risk" in particular, because these sophisticated attackers are known to attract users to their sites via search engines and e-mail spam campaigns, Websense said.
The CoolWebSearch gang has also adopted the new flaw as a way to compromise systems, said Roger Thompson, chief technology officer at security software maker Exploit Prevention Labs. "It's not the end of the world or anything but it's an interesting escalation," he said.
CoolWebSearch is notorious for installing spyware and other malicious programs onto people's PCs. The group lures people to their sites via links in other search engines as well as by persuading Web masters to adopt their search engine, promising a lot of site visitors.
The Windows Shell flaw was found almost two months ago, but sample attack code became available only recently. Microsoft plans to issue a fix for the problem on Oct. 10, its regularly scheduled patch day, it said in a security advisory on Thursday.
Windows users can protect themselves by following the guidance Microsoft gives in its advisory, switching to a non-Microsoft Web browser, or installing security software such as Exploit Prevention Labs' SocketShield.
Also, a group of security professionals, calling itself the Zeroday Emergency Response Team, or ZERT, is working on a third-party fix that should be available before Microsoft's official patch, Thompson said.
Meanwhile, there are several other security vulnerabilities in Microsoft products waiting to be fixed. Some of these flaws are already being used in cyberattacks, though not as widespread as the Windows Shell flaw or another Windows bug for which Microsoft rushed out a fix on Tuesday, according to security experts.
