The daxtcle.ocx exploit is the “other” zero day exploit, which to our knowledge hasn’t been seen in the wild. However, Adam Thomas in our security research team has just discovered a website with a modified version of the exploit that downloaded malware to a fully patched XP SP2 machine. The malware site was in a redirect script off of a porn site, in the same area as we discovered the VML exploit.
The exploit downloaded a fake version of svchost.exe, and a DLL was created in %system%hehesox.dll which is receiving commands from a malware site. The browser did crash, but malware was successfully installed.
Mitigation: The DirectAnimation Path control can be disabled by setting the kill bit for the following CLSID: {D7A7D7C3-D47F-11d0-89D3-00A0C90833E6} More information about how to set the kill bit is available in Microsoft Support Document 240797. More at CERT.
This story is developing and research is ongoing. Security professionals can contact Eric Sites for collaboration or further information.
Alex Eckelberry