MS Internet Explorer 5.0 and higher, and Outlook, support (and
apparently mishandle) VML tags (Vector Markup Language), and
apparently are now the subject of arbitrary code execution
vulnerabilities which are being actively exploited.
---------------------------
Microsoft Security Advisory (925568)
Vulnerability in Vector Markup Language Could Allow Remote Code
Execution
Published: September 19, 2006 | Updated: September 21, 2006
Microsoft has confirmed new public reports of a vulnerability
in the Microsoft Windows implementation of Vector Markup
Language (VML) Microsoft is also aware of the public release of
detailed exploit code that could be used to exploit this
vulnerability. Based on our investigation, this exploit code
could allow an attacker to execute arbitrary code on the user's
system. Microsoft is aware that this vulnerability is being
actively exploited.
A security update to address this vulnerability is now being
finalized through testing to ensure quality and application
compatibility Microsofts goal is to release the update on
Tuesday, October 10, 2006, or sooner depending on customer
needs.
[snip]
---------------------------
The following is InfoCon's advisory:
---------------------------
http://isc.sans.org/diary.php?storyid=1727
Yellow
The VML exploit is now becoming more widespread, so we changed
the InfoCon level to yellow to emphasize the need to consider
fixes.
If you have not taken measures yet, please consider some
emergency fixes to cover the weekend (especially for those
laptops surfing the web from home; they might be at high risk).
The exploit is widely known, easy to recreate, and used in more
and more mainstream websites. The risk of getting hit is
increasing significantly.
Outlook (including outlook 2003) is - as expected - also
vulnerable and the email vector is being reported as exploited
in the wild as well.
Weekends are moreover popular moments in time for the bad guys
to build their botnets.
Actions
We suggest following actions (do them all: a layered approach
will work when one of the measures fails):
* Update your antivirus software, make sure your vendor has
protection for it.
* Unregister the vulnerable dll:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
* Consider asking your users to stop their usage of MSIE, we
know it's hard to break an addiction, but you're using the most
targeted browser in the world.
Reregistering a DLL is done with the same command as
unregistration, but without the "-u".
---------------------------
--
----------------------------------------
The WIN-HOME mailing list is powered by L-Soft's renowned
LISTSERV(R) list management software. For more information, go to:
http://www.lsoft.com/LISTSERV-powered.html
