Microsoft advisory published on VML zero day exploit
Microsoft Security Advisory 925568:
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
Published: September 19, 2006 | Updated: September 23, 2006
Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.
A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.
• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because Binary and Script Behaviors are disabled by default in the Internet zone.
One workaround:
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Note The following steps require Administrative privileges. It is recommended that the system be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround however; the recommendation is to restart the system.
To un-register Vgx.dll, follow these steps:
• Click Start, click Run, type
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
and then click OK.
• A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.
To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with
regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
Full Microsoft advisory is here.
Another recommended workaround for VML buffer overflow vulnerability
Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.
You can help protect against this vulnerability by changing your settings to disable binary and script behaviors in the Internet and Local intranet security zone. To do this, follow these steps:
1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.
Impact of Workaround: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly.
Customers are encouraged to keep their anti-virus software up to date. Customers can also visit Windows Live OneCare Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that take advantage of this vulnerability. We will continue to investigate these public reports.
If you are a Windows Live OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.
You should also turn off the preview pane in Outlook (Express), if you use it to do email. Simply previewing an email that exploits the VML buffer overflow will cause your computer to become infected. Also, switch to reading incoming email as plain text, until this is patched by Microsoft.
Wiz's note to our readers:
You are also urged to protect your computers with up-to-date anti-virus and anti-spyware programs and to scan for malware on a daily or nightly basis. This may sound like paranoia, but in this case they really are out to get you! See the links in the right sidebar or Google ads if you need anti-malware protection. Also, install a firewall on all of your computers to prevent acquired threats from phoning home, or to block incoming attempts to exploit your computer's Internet connection.