MSIE VML Exploit Spreading

The Internet Storm center,, has raised the Infocon level to yellow for the exploit I posted about here, Vulnerability in Vector Markup Language Could Allow Remote Code Execution. I recommend you update your anti virus software and possible even unregister the offending dll, Vgx.dll, instructions are in this post.

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.

Outlook (including outlook 2003) is – as expected – also vulnerable and the email vector is being reported as exploited in the wild as well.

Weekends are moreover popular moments in time for the bad guys to build their botnets.

Ken Dunham from iDefense says,

We have seen a significant increase in attacks over the last 24 hours and “[at] least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains”. Those domains pointed visitors to a VML exploit. We’re happy to note they join us in recommending “implementing a workaround ASAP” and see the upcoming weekend as a factor in it.

The group, known as ZERT (Zero Day Emergency Response Team) has released a patch saying that Microsoft has to fix its patching cycle, and I agree on that part, having to wait two weeks for a patch to fix an exploit that is just now taking off is ridiculous, I understand they have to test it and such, but surely they can speed the process up so we can all be safer online.

A high-profile group of computer security professionals scattered around the globe has created a third-party patch for the critical VML vulnerability as part of a broader effort to provide an emergency response system for zero-day malware attacks.

The patch, which was created and tested by a roster of reverse engineering gurus and virus research experts, is available from the ZERT Web site for Windows 2000 SP4, Windows XP (SP1 and SP2), Windows Server 2003 (SP1 and R2 inclusive).

“Something has to be done about Microsoft’s patching cycle. In some ways, it works. But, in other ways, it fails us,” says Joe Stewart, a senior security researcher with SecureWorks, in Atlanta. Source:

Not sure about using a third party patch, and I know I won’t be installing it on any computers for other people, I will stick to keeping the anti virus updated everyday and teaching good internet practices.