Within the February 2009 Microsoft Security Bulletins we posted about last week , was a vulnerability relevant to Internet Explorer 7 (MS09-002). Yesterday you may have seen that the vulnerability assessment page for this one  was updated to reflect the fact that we have seen this vulnerability exploited in the wild.
The web page in question contains a malicious script that attempts to exploit MS09-002.
Fortunately, this malicious script is proactively detected as Mal/JSShell-B, as can be seen from the alert generated at the endpoint:
And the in-browser notification that is added:
(For users behind the Sophos web appliance the end result would have been the same – malicious content blocked, and a similar warning message displayed to the user in their browser.)
Curious to see how well our buffer overflow protection (BOPs) would fare against this threat, I intentionally disabled the Mal/JSShell-B detection and attempted to browse the malicious page. The threat was still blocked, BOPs once again illustrating its effectiveness.
What about the payload of the exploit? It attempts to install a Trojan from the same site. This is also proactively detected, as Mal/Behav-116. If executed the Trojan attempts to install a malicious DLL into the system folder (
winnet.dll). The runtime protection (HIPs) provided by Sophos blocks the Trojan – it triggers a HIPS/ProcMod-005 alert. Additionally, detection for the DLL was added as Mal/SpyAgent-C yesterday.
Though Sophos users were proactively protected from this specific attack, users should not be complacent. Patch relevant systems as soon as possible . Users not using either HIPs or BOPs protection should also set about enabling these additional layers of protection that have proven themselves time and time again against new attacks [for example 4,5].