Attackers 'making hay with Windows flaw'

Attackers have added another, yet-to-be-patched Windows flaw to their arsenal, experts warned on Saturday.

Cyber crooks have started exploiting a flaw in the Windows Shell only days after sample attack code for the vulnerability surfaced. Websites that exploit the vulnerability are popping up and attempt to load malicious software onto vulnerable Windows PCs in a way that is undetectable to users, experts said.

Security company Websense said in an alert: "There are professionals at work using the exploit code." The miscreants taking advantage of the flaw appear to be part of the same group that in December used another Windows flaw to hoist spyware onto PCs, Websense said. That flaw stemmed from the way Windows handled Windows Metafile, or WMF images.

Microsoft warned of the Windows Shell flaw on Thursday. The flaw affects Windows 2000, Windows XP and Windows Server 2003, and could be exploited via the Internet Explorer web browser through a component called WebViewFolderIcon, the company said. Windows Shell is the part of the operating system that presents the user interface.

Websense said the fact the cyber crooks are using the exploit code poses a significant risk in particular, because these sophisticated attackers are known to attract users to their sites via search engines and email spam campaigns.

The CoolWebSearch gang has also adopted the new flaw as a way to compromise systems, said Roger Thompson, chief technology officer at security software maker Exploit Prevention Labs. "It's not the end of the world or anything but it's an interesting escalation," he said.

CoolWebSearch is notorious for installing spyware and other malicious programs onto people's PCs. The group lures people to their sites via links in other search engines as well as by persuading web masters to adopt their search engine, promising a lot of site visitors.

The Windows Shell flaw was found almost two months ago but sample attack code became available only recently. Microsoft plans to issue a fix for the problem on 10 October, its regularly scheduled patch day, it said in a security advisory on Thursday.

Windows users can protect themselves by following the guidance Microsoft gives in its advisory, switching to a non-Microsoft web browser, or installing security software such as Exploit Prevention Labs' SocketShield.

Also, a group of security professionals, calling itself the Zeroday Emergency Response Team, or Zert, has released a third-party fix for the flaw.

Meanwhile, there are several other security vulnerabilities in Microsoft products waiting to be fixed. Some of these flaws are already being used in cyber attacks, though not as widespread as the Windows Shell flaw or another Windows bug for which Microsoft rushed out a fix on Tuesday, according to security experts.

Joris Evers writes for CNET News.com