Russian Porn Sites First to Exploit VML Vulnerability in IE
CYBERSPACE – According to security software vendor Sunbelt Software, a handful of Russian porn sites are the source of the first known exploit of vulnerability present in Windows’ handling of Vector Markup Language (VML).Sunbelt posted screencaps detailing the visible behavior of the exploit Monday, and Microsoft acknowledged yesterday that the flaw was being actively targeted by attackers.
The vulnerability, which has received an “extremely critical” rating from security monitoring company Secunia, exists within the Windows component “vgx.dll,” the Microsoft Vector Graphics Rendering library file.
According to Secunia, the boundary error in the vgx.dll file “can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long ‘fill’ method inside a ‘rect’ tag with the Internet Explorer browser.”
Secunia adds in their bulleting that successful exploitation of the vulnerability “allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.”
In a security advisory published yesterday acknowledging the flaw, Microsoft states that the company is “aware that this vulnerability is being actively exploited.”
“A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility,” the Microsoft advisory states. “Microsoft’s goal is to release the update on Tuesday, October 10.”
The advisory also states that Microsoft may issue the patch prior to October 10, “depending on customer needs.”
For the time being, the primary defense against the exploit is the usual set of common-sense advice given for any number of exploit types; don’t click on email attachments from senders you don’t know and trust, avoid browsing unfamiliar websites, and keep your anti-virus software up-to-date.
One work-around solution, instructions for which have been published on ZDNet.com, is to disable VML rendering until Microsoft issues the official patch, and subsequently restore the rendering once the patch has been installed.
Instructions for disabling VML rendering are available here: http://blogs.zdnet.com/Ou/index.php?p=323
For more information on the vulnerability, visit the following links:
Secunia security advisory: http://secunia.com/advisories/21989/
Microsofts advisory: http://www.microsoft.com/technet/security/advisory/925568.mspx
Sunbelt Software blog: http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html