Security Advisory
09/22/06
Today
we have received the notification from the Multi-State Sharing and
Analysis Center (MS-ISAC) about a new highly exploitable
vulnerability in fully-patched Microsoft systems and Microsoft software. Please
see information below for details and active recommendations.
SUBJECT:
Public Exploitation of Unpatched VML Vulnerability
Affecting Microsoft Internet Explorer and Microsoft Outlook
OVERVIEW:
Several exploit programs have been made public for a
vulnerability in Microsoft Windows that affects even fully patched systems. There are publicly available exploits affecting
both Microsoft Internet Explorer and Microsoft Outlook. These exploits
could allow for a remote attacker to execute arbitrary programs on the system
with the current user’s privileges. Currently we have confirmed reports
widespread use of these exploits in the wild in the past 24 hours.
This flaw can be exploited either by visiting specific malicious web sites with Microsoft Internet Explorer or by viewing malicious email messages in Outlook in HTML format.
Microsoft has confirmed this vulnerability but currently does not plan to release a patch to fix this issue until October.
SYSTEMS AFFECTED:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Service
Pack 2
Microsoft Windows XP Professional
x64 Edition
Microsoft Windows Server
2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based
Systems Edition
Microsoft Windows Server
2003 x64 Edition
RISK:
Government:
Large and medium government entities:
High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home
users: High
DESCRIPTION:
An unpatched vulnerability exists in the Microsoft
Windows implementation of Vector Markup Language (VML). This vulnerability
exists due to insufficient bounds-checking when handling stack data in the
'vgx.dll' library. There are publicly available exploits affecting both
Microsoft Internet Explorer and Microsoft Outlook which take advantage of this
vulnerability. These exploits could allow a remote attacker to execute
arbitrary programs on the system in the context of the current user.
Currently we are seeing widespread use of these exploits.
This flaw can be exploited by visiting specific malicious web sites with Internet Explorer or by viewing malicious HTML email messages in Outlook.
Microsoft has confirmed this vulnerability but currently does not plan to release a patch to fix this issue until October. Microsoft has suggested several workarounds for this vulnerability which can be found here:
http://www.microsoft.com/technet/security/advisory/925568.mspx
A third-party patch has been released for this
vulnerability. Please note that this patch is untested and is not
supported by Microsoft. We do not recommend implementing this patch at
this time. Additional details about the third-party patch can be found
here:
RECOMMENDATIONS:
We recommend the following actions be taken:
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/advisory/925568.mspx
Security Focus:
http://www.securityfocus.com/bid/20096
Websense:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=80
Immunity - SALVO - VML exploits for Outlook
and Internet Explorer:
https://www.immunityinc.com/partners-index.shtml
Symantec:
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091914-1801-99
SecuriTeam:
http://blogs.securiteam.com/index.php/archives/624
SANS:
http://isc.sans.org/diary.php?storyid=1727
RI Enterprise Information Security Office
Please, See all DOIT InfoSec advisories at http://www.doit.ri.gov/security/advisories web site.