Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Microsoft released a security advisory yesterday, Microsoft Security Advisory (925568) Vulnerability in Vector Markup Language Could Allow Remote Code Execution. This involves the file Vgx.dll, which implements Vector Markup Language within Microsoft Windows. This vulnerability affects the following software:

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition

Microsoft Windows Server 2003 x64 Edition

Someone who exploited this vulnerability could take complete control of the system just by getting the user to visit a website or open an attachment in email. It is even possible to use the vml exploit with a banner on a website, which opens up many avenues for attack.

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user’s system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft?s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

Customers are encouraged to keep their anti-virus software up to date. Customers can also visit Windows Live OneCare Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that take advantage of this vulnerability. We will continue to investigate these public reports.

Until the patch is released, Microsoft says you can protect your system using the following four methods:

Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

Modify the Access Control List on Vgx.dll to be more restrictive

Impact of Workaround: Applications and Web sites that render VML may no longer display or function correctly.

Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.

Impact of Workaround: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly.

Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector.

I recommend you update your anti-virus software, or, better yet, tell it to update automatically when you login to the system, so it checks everyday for updates. Microsoft said users of Windows Live OneCare and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems. You can visit Windows Live OneCare Safety Center to check for and remove malicious software looking to exploit this vulnerability.

Sunbelt discovered the zero day exploit in the wild.