Security researcher HD Moore published a module for the Metasploit framework this week that includes exploit code for a previously unknown Windows shell vulnerability.

Microsoft warned users of the issue on Thursday in a security advisory, saying that public report have pinpointed an ActiveX component as the source of the vulnerability, but that component merely exposes the vulnerable Windows shell. The flaw affects every version of the operating system, except for default installations of Windows 2003, the company said.

The zero-day exploit code is the second announcement this week of a serious security issue affecting Microsoft's software. Security firms McAfee and Symantec both warned that a Trojan horse has begun using a previously unknown vulnerability is being used by attackers to compromise systems. Microsoft confirmed in an advisory published Wednesday that the company is investigating the attack. (SecurityFocus is owned by Symantec.)

Zero-day attacks, especially against Microsoft's Office products, have increased in frequency this year. On Tuesday, the company shored up a hole in its Internet Explorer Web browser, following a number of high-profile attacks that attempted to exploit the issue. The increasing trend of zero-day attacks has come at a time when researchers are increasingly taking Microsoft to task for its policies on the airing of flaw details.

Microsoft plans to fix the Windows Shell vulnerability with its regularly monthly patch release on October 10. The software giant is still investigating the PowerPoint vulnerability, it said.




securityfocus.com