Barely a few days after the last Microsoft zero-day exploit and out comes another, this time attacking vulnerabilities in the OS’s Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC 11). As if on cue for the next round of Patch Tuesday releases, the cybercriminals also released their own “updates” with this attack.

“This vulnerability could be used for remote code execution in a ‘browse and get owned’ scenario,” says Microsoft, “but requires user interaction since a user needs to go to a malicious website that hosts the exploit to become infected.” Users need not fear, however, as Microsoft has released an advisory containing further information on this exploit. It also released information on how users can tell if their systems are vulnerable to this attack in a blog post.

Trend Micro Research Manager, Ivan Macalintal, says that the exploit appears to be using script fragmentation—the same tactic used in a previous zero-day mass Web compromise. He adds that the parts of the whole malicious script may not necessarily be malicious per se. However, when combined, the outcome—a full working exploit—can prove disastrous.

Users who visit malicious sites using vulnerable Internet Explorer browsers run the risk of automatically getting infected. The JavaScript detected as JS_SHELLCODE.BH automatically runs on vulnerable browsers unless the ActiveX control is disabled. Once executed, says Trend Micro Threat Analyst, Jessa De La Torre, the script enables the download of TROJ_DLOADR.DOF, which drops a rootkit (TROJ_ROOTKIT.DOF), then downloads the Trojans TROJ_DLOADR.UIG and TROJ_INJECT.AKI. TROJ_DLOADR.UIG downloads roughly a hundred files from a certain URL, posing the risk of infection to a lot more malware.

The malware affects common Microsoft applications, most notably Microsoft Office XP Service Pack 3 and Microsoft Office 2003 Service Pack 3.

To protect users from this threat, Microsoft has come up with a workaround until the next Patch Tuesday releases. The page also contains a link so users can automatically apply the workaround.

Trend Micro threat analysts received reports of this vulnerability exploit and are currently analyzing the samples. Trend Micro product users need not fret, however, as this threat is already blocked by Smart Protection Network.