Pavlov Scope

2006 September 25

0day - VML flaw in Internet Explorer

Filed under: ITSec — FreyGuy @ 22:37:30

Another previously unknown or unreleased flaw is being exploited "in the wild" in Internet Explorer.

This new exploit takes advantage of a previously unknown flaw in IE has been spotted actively installing malware in an effort to build a botnet on the Internet. It exploits a vulnerability that is unpatched (Microsoft didn’t know about the flaw until now), but there is a workaround that can mitigate the error (see below).

The timing of this exploit was done well. Just two weeks ago was Microsoft’s monthly "Patch Tuesday" so the company will need to quickly respond to this newfound issue. Hopefully MS will come out with a fix quickly which we will quickly deploy after testing.

 Here External Link is one of the articles that outlines the information succinctly.

The fun-loving folks @ Sunbelt External Link are credited with this discovery and should be commended for their continued work to protect the Internet community at large.

==

Clarification information:

  • IE is, Internet Explorer.
  • Malware is the general category of malicious software like viruses, spyware, trojan horse programs, keystroke loggers, etc.
  • Botnets are a fairly new construct – They are usually the result of a coordinated installation of a certain type of malware designed in such a way as to allow central control of many computers. After compiling the control of these computers, hackers can use them to perform coordinated attacks against other systems, gather and amalgamate information on large numbers of people (for identity fraud, etc.) – these systems are increasingly being used by organized crime. The client computers that have this software installed are called "bots" since control of their operation has been seized by the hacker. The "net" part is the fact that they are operating as a distributed network of computing resources – thus, botnet.
    Hackers that are creating botnets are often referred to as "bot herders" (as in herding sheep).
  • Vulnerabilities are bugs in software that are considered security exposures which can be used to compromise a computers integrity, confidentiality, or availability.
  • An Exploit is an attack software program that takes advantage of a software vulnerability. Exploits are usually used as a delivery mechanism for executing a malicious payload (often spyware, rootkits, keyloggers, etc.).
  • A 0day (pronounced Zero-Day) exploit is a type of exploit that is taking advantage of an unfixed and/or unknown software vulnerability.

Based on new as of last Thursday and Friday, an increasing number of sites are being logged as taking advantage of this flaw to install a variety of spyware. You need to protect your computer ASAP before Microsoft releases their patch for this VML flaw (likely to be released "out of cycle" or "out of band" based on customer demand).

The fix for your home PC system is to run a command on your computer to deactivate the affected component of Windows. Here is the command to run:

regsvr32 "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll"

If you are an admin that wishes to push this out to all the PCs on your network, I suggest using a startup script and run this command in "silent mode" from within a BAT or CMD file – E.g.

regsvr32 /u /s "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll"

Please take this action to protect your machine (and the rest of the Internet community for that matter) between now and the time that the software fix is released from Microsoft (slated for Oct. 10th so far, although a fix might be expedited given the public pressure on this one).

  • The hack has been "packaged" and is now for sale for $20 in a specific hacker community – even offering technical support service for the exploit (ugly).
  • The latest discovery of this 0day is installing over 50 kinds of malware (based on Sunbelt’s report) onto victim machines.
  • The fix above basically disables the affected sub-component of IE and Microsoft Office (not JavaScript this time as I had previously feared) known as Vector Markup Language (VML for short). VML is used to generate geometric shapes (often 3D) inside of a web browser – a very popular example of a VML implementation is Google Maps, and sometimes banner ads.
  • By disabling this buggy component temporarily, you prevent the exploit from functioning. You should  not experience much, if any, impact to your browsing experience unless all you do all day is surf Google maps or 3D rendering sites.

After running the commands above, do a reboot to ensure it has taken effect.

I’ll update the post once MS has posted the fix.

_____________________________________________________________
KevFrey
kevfrey@gmail.com
.     .    .   .  . .. .  .   .    .     .

"One is enough for too much."
- The Shark
Copyright 2006-Kevin Frey

Leave a Reply

You must be logged in to post a comment.