Just as we expected, the exploit for the Web Office 0-day has been integrated into existing bot-net spread attacks. SANS and other folks began reporting that SQL injection compromises have now been tuned to include defacements with the embedded Web Office exploit.

These SQL injection attacks that lead to defacement, along with the recent spate of Cold Fusion defacements have been leveraged to spread malware for some time. However, this new “upgrade” to the malicious javascript the defacements leverage to infect browsers is likely to be much more effective with the Web Office exploit in place, given that no real patch is available and that the exploit code is so easy to use, stable and effective.

If you have not yet deployed the kill bit solution referenced in this article: https://stateofsecurity.com/?p=709, you should do so immediately. Mass, wide-scale, exploitation of this issue is likely beginning and will continue for some time.

It would also be very wise to educate your staff about this issue since they will need to activate the kill bits on home systems as well until a patch becomes available.

Please note that you must reboot systems before they become immune to the exploit once the kill bits are installed in the registry.

Let us know if you have any questions or desire any assistance with the kill bit solution.