Today, Microsoft released a security advisory on active attacks in the wild using a vulnerability in Microsoft Office Web Components. Computers installed with Microsoft OfficeÂ features that uses vulnerable versions of the Microsoft Office Web Components could be infected with malware when browsing upon malicious websites in Internet Explorer.Â
From our investigation, Exploit-CVE2009-1136, a new 0-day exploitÂ was added into web exploit toolkits that widely released Exploit-MSDirectShow.b Â on hijacked websites in China just the previous week.Â Since the start of this new wave of attacks, new trojans installed by Exploit-CVE2009-1136 has been detected by Artemis technology which also allow us to get a global view of the spread of this new threat.
In one of the new trojan samples used by Exploit-CVE2009-1136, we first saw Artemis queries coming from ChinaÂ at 11:53 GMT on July 13th, 2009. We didn’t have automatic protection for this at this point, but various systems analyzing the threat detailsÂ soon mark this as malicious.
By now, this sample has spread to many other Internet users in China, and is now queried and blocked by Artemis more than 328 times at more than 145 unique IP addresses (ISP , not end point).
Besides China, we only saw Artemis queries coming from Virus Total (Spain) and fellow malware researchers in the UK and Germany in small numbers.
We will post more information as we receive it.