MS06-042 is in the wild

Hi folks,

Those 'nice' folks known as the Russian Iframers started using a new exploit tonight... MS06-042. Microsoft issued a patch for this vulnerability in August, and a proof of concept began circulating within a few days of that release. Because it allowed execution of arbitrary code from within Internet Explorer, thus going straight through a firewall, this always looked more dangerous to us than the other August patches, and we immediately created a SocketShield signature for it. I guess it took the bad guys two or three weeks to figure out their strategy, but it is now being used.

Of course, just as with WMF and MDAC, this exploit will soon be "borrowed" by other malicious website operators, and it appears to work quite effectively. In our tests, it failed against a fully patched machine, but worked like a charm on a machine that hadn't been patched since June, which makes sense for an August patch exploit.

What this means is that if your patching is up to date, or you are running SocketShield, you're probably safe, but if not... be careful... These guys have a habit of installing rootkits, most recently Rustock, which is pretty hard to detect, and even harder to remove.

Please either patch your systems or install SocketShield.

Cheers
Roger