Posts Tagged ‘VML’

VML Exploit Patched by Microsoft

Microsoft noted on their blog that they might release the patch to fix the VML exploit early, if it met all the tests and requirments, so apparently, it already has. Thanks Sunbeltblog.

A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Check Windows Update to get it.

Added: Just saw this post from a technet blog, “OUT OF BAND” Security Bulletin has been released – Microsoft Security Bulletin MS06-055,

On Tuesday September 26th 2006, the Microsoft Security Response Center (MSRC) released one (1) new Security Bulletin. This Security Bulletin Release is in addition to our regularly scheduled monthly security bulletin release for September 2006. A release of this type is often referred to as ?Out of Band?.

A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

And this post from the Microsoft Security Response Center Blog,

Hey everyone, Craig Gehre here. We’re in the process of releasing out of band update MS06-055 to address the VML issue. At the moment, Windows Update, Microsoft Update, and Autoupdate are live. We’re in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST, and MBSA 2.0 to the Microsoft download center and normal locations and those should be up shortly. Until that time the links might not work in the bulletin until the packages appear on the download center. The for SMS and MBSA 2.0 users is also in process and will be published soon. We?ll provide a follow-on blog post shortly once we get everything up.

We’re also re-releasing MS06-049 for Windows 2000 users and will have that information up shortly as well.

Anyway, finally, I know they want to test this stuff thoroughly, but sometimes you just gotta rush stuff, especially when you have unsuspecting users on the line.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 26, 2006 at 5:29 pm

Categories: Internet Explorer, Microsoft News, Security, Windows XP   Tags: ,

IE7 Immune to VML Exploit

In testing on a couple different blogs, IE7 has proven to be immune to the vml exploit currently making the rounds. Ed Bott says Vista passes one security test,

Now, it’s important to note that the developers of IE7 clearly had no idea that this vulnerability existed in IE6. But their development process managed to block this particular exploit right out of the box, and the additional layers of security provided important clues that this page was potentially dangerous.

Sandi Hardmeier at Spyware Sucks says Important – IE VML Vulnerability – IE7 is immune and as a matter of fact says it has been immune to almost all the other vulnerabilities that have come out since its realease.

And the IE team says, “…With the exception of a very short list of issues we’re aware of and working on, we think the product is done…. Depending on your feedback, we may post another release candidate. We?re still on track to ship the final IE7 release in the 4th calendar quarter.”

Sounds like this may be as good of a time as any to read the release notes and upgrade to IE7, but be warned, there are still some software issues with other programs.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - at 2:08 am

Categories: IE7, Internet Explorer, Security, Virus Info   Tags: , ,

MSIE VML Exploit Spreading

The Internet Storm center,, has raised the Infocon level to yellow for the exploit I posted about here, Vulnerability in Vector Markup Language Could Allow Remote Code Execution. I recommend you update your anti virus software and possible even unregister the offending dll, Vgx.dll, instructions are in this post.

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.

Outlook (including outlook 2003) is – as expected – also vulnerable and the email vector is being reported as exploited in the wild as well.

Weekends are moreover popular moments in time for the bad guys to build their botnets.

Ken Dunham from iDefense says,

We have seen a significant increase in attacks over the last 24 hours and “[at] least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains”. Those domains pointed visitors to a VML exploit. We’re happy to note they join us in recommending “implementing a workaround ASAP” and see the upcoming weekend as a factor in it.

The group, known as ZERT (Zero Day Emergency Response Team) has released a patch saying that Microsoft has to fix its patching cycle, and I agree on that part, having to wait two weeks for a patch to fix an exploit that is just now taking off is ridiculous, I understand they have to test it and such, but surely they can speed the process up so we can all be safer online.

A high-profile group of computer security professionals scattered around the globe has created a third-party patch for the critical VML vulnerability as part of a broader effort to provide an emergency response system for zero-day malware attacks.

The patch, which was created and tested by a roster of reverse engineering gurus and virus research experts, is available from the ZERT Web site for Windows 2000 SP4, Windows XP (SP1 and SP2), Windows Server 2003 (SP1 and R2 inclusive).

“Something has to be done about Microsoft’s patching cycle. In some ways, it works. But, in other ways, it fails us,” says Joe Stewart, a senior security researcher with SecureWorks, in Atlanta. Source:

Not sure about using a third party patch, and I know I won’t be installing it on any computers for other people, I will stick to keeping the anti virus updated everyday and teaching good internet practices.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 22, 2006 at 6:17 pm

Categories: Internet Explorer, Microsoft News, Security   Tags: ,

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Microsoft released a security advisory yesterday, Microsoft Security Advisory (925568) Vulnerability in Vector Markup Language Could Allow Remote Code Execution. This involves the file Vgx.dll, which implements Vector Markup Language within Microsoft Windows. This vulnerability affects the following software:

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition

Microsoft Windows Server 2003 x64 Edition

Someone who exploited this vulnerability could take complete control of the system just by getting the user to visit a website or open an attachment in email. It is even possible to use the vml exploit with a banner on a website, which opens up many avenues for attack.

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user’s system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft?s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

Customers are encouraged to keep their anti-virus software up to date. Customers can also visit Windows Live OneCare Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that take advantage of this vulnerability. We will continue to investigate these public reports.

Until the patch is released, Microsoft says you can protect your system using the following four methods:

Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

Modify the Access Control List on Vgx.dll to be more restrictive

Impact of Workaround: Applications and Web sites that render VML may no longer display or function correctly.

Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.

Impact of Workaround: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly.

Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector.

I recommend you update your anti-virus software, or, better yet, tell it to update automatically when you login to the system, so it checks everyday for updates. Microsoft said users of Windows Live OneCare and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems. You can visit Windows Live OneCare Safety Center to check for and remove malicious software looking to exploit this vulnerability.

Sunbelt discovered the zero day exploit in the wild.

1 comment - What do you think?  Posted by Jimmy Daniels - September 20, 2006 at 3:52 pm

Categories: Internet Explorer, Malware, Microsoft News, Security   Tags: ,