Newly found Vulnerabilities 03/15/08:

 

Websites Compromised Through SQL Injection

 

Home

Comments

 

We have seen reports of an attack that has compromised a large number of legitimate websites. The reports indicate that attackers are modifying the sites and embedding a reference to JavaScript code. Users who visit one of these infected websites may unknowingly execute malicious code. This code attempts to exploit known vulnerabilities for which patches are available but may not have been applied to the victim's system.
This issue is currently exploiting a variety of vulnerabilities:

      Baofeng Storm ActiveX

      Ourgame GLChat ActiveX

      Microsoft Internet Explorer VML (VU#122084)

      Qvod Player ActiveX

      Microsoft RDS.Dataspace ActiveX (VU#234812)

      RealPlayer playlist ActiveX (VU#871673)

      Storm Player ActiveX

      Microsoft Windows WebViewFolderIcon ActiveX (VU#753044)

      Xunlei Thunder DapPlayer ActiveX

We encourage users to do the following to help mitigate the risks of this and similar attacks:

      Regularly apply software updates and patches provided by vendors.

      Disable JavaScript and ActiveX

 

Home