IE VML Exploit Could Threaten National Security
CYBERSPACE — Hackers delight in attacking the most popular web browser on the planet — and according to reports from technology watchers, they’ve been enjoying a lot of delight lately. The most recent spear in Achilles’ heel has been an as-yet unpatched vulnerability in Microsoft’s Internet Explorer — which seems destined to spread into its email client.Researchers say that the number and intensity of attacks on IE are increasing and warned Thursday that things will only get worse if the hoodlums turn their attention to people’s Inboxes.
“It might come to nothing,” Roger Thompson, chief technology officer at Exploit Prevention Labs admitted, “but it feels like a storm’s coming. The potential is there. Call it a storm watch, not a storm warning.”
According to Thompson, two unique exploits were uncovered this week, one associated with WebAttacker, a Russian-manufactured hacker exploit kit. The second was posted to gray-hat vulnerability research site xSec early on Thursday and can remote launch code without using JavaScript. This bypass of JavaScript is something that both exploits have in common, which many believe makes them both more dangerous.
Thompson explains that “The xSec exploit doesn’t work as posted. It only crashes the browser. But it looks like it would be easy to turn it into a working exploit.”
Ken Dunham, director of iDefense’s rapid response team cautions that “The newest exploit works with email.”
His team knows this because it took a fully patched copy of the newest version of Outlook and exposed it to the exploit, which promptly caused the mail reader to crash. With a little tweaking, the team was able to inspire the exploit to execute other code, however, meaning that those clients capable of reading HTML messages using the IE rendering engine are in danger if malicious coders decide to turn their attention from creating infected websites to invading email.
“Just previewing a message could result in a computer hijacked by a bot or loaded with adware, spyware, or other malicious code,” Dunham warns. “You would be attacked immediately, as soon as the preview is rendered,” he assures.
Unlike Thompson, Dunham is convinced that the new exploit is likely to cause major problems down the road. “It’s imminent,” he insists. “I would not be surprised if a small number of emails were already being sent to companies or governments.”
As support for his concerns, Dunham points to the Windows Metafile Format (WMF) vulnerability of December 2005, which took less than 24 hours to aggressively invade the Korean government and U.K. Parliament’s email systems. In Dunham’s opinion, the damage done by the VML vulnerability will surpass that of WMF — and will likely be directed toward corporate, academic, military, and governmental targets since they are the most financially lucrative to overpower. “An attack could even threaten a country’s national security,” he warned ominously.
Thompson echoes the opinions of many when he says that “it would be nice if Microsoft released a patch,” but at this point, there is no suggestion from Microsoft that any patches will be released ahead of its October 12th schedule, which leaves two-and-a-half-weeks for hackers to make the minor change necessary to wreck havoc in Outlook and related readers.