The list of things to worry about with the soon-to-be-patched MS08-078 XML data binding vulnerability is getting longer by the minute. The researchers at McAfee’s AVERT Labs report that they have been seeing exploits using Word documents to download and install malicious ActiveX controls on user machines.
Upon opening the word document, the embedded ActiveX control with the following classid is instantiated and executed.
This control stores configuration data for the policy setting Microsoft Scriptlet Component.
The control then makes a request to the Web page hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user, it will just appear as yet another normal .doc file.
Not good news. Most of the other attacks that have been seen against the vulnerability have been of the drive-by download variety. But this puts things in a different light. The emergency patch for the MS08-078 vulnerability is due later today, and this new attack vector makes applying the fix an even higher priority.