Yellow: MSIE VML exploit spreading

Published: 2006-09-25
Last Updated: 2006-09-25 00:49:40 UTC
by Swa Frantzen (Version: 9)
0 comment(s)


We've refreshed this article for those of you checking in on their Monday morning as a reminder. On Friday 22nd (and for some of our readers past their working day), we have raised our Infocon to Yellow for 24 hours in order to increase the awareness of the problem and call for action. We went back to Green -as intended- after 24 hours.

New versions of exploits continue to be released publicly. We also still get new sites detecting exploits and reporting this to us. There is still reason to act if you haven't done so yet. This exploit is one that's going to stay with us, so you do need protection. Waiting will not make the problem go away.

Reason for Yellow

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites.  The risk of getting hit is increasing significantly.

Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.

Weekends are moreover popular moments in time for the bad guys to build their botnets.


We suggest following actions (do them all: a layered approach will work when one of the measures fails):
  • Update your antivirus software, make sure your vendor has protection for it (*).
  • Unregister the vulnerable dll (**):
regsvr32 /u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

And reboot the machine to make sure all in memory copies are gone as well.
  • Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Reregistering a DLL (which you might want to do after an official patch is released) is done with the same command as unregistration, but without the "/u".


Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and "[at] least  one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains". Those domains pointed visitors to a VML exploit. We're happy to note they join us in recommending "implementing a workaround ASAP" and see the upcoming weekend as a factor in it.


(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
(**): There are a few rare reports of relatively uncommon applications out there that suffer from disabling this DLL, so check your mission critical applications before disabling it. Since VML never made it as a standard, it is not widely used at all. Using it means the web site does not work properly in other browsers.

Swa Frantzen -- Section66
Keywords: 0day msie vml yellow
0 comment(s)

Netcraft Report - HostGator servers exploited via cPanel, allowing redirection & VML exploitation

Published: 2006-09-23
Last Updated: 2006-09-23 23:05:27 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Netcraft's Rich Miller is reporting on VML related exploitation, details at "HostGator: cPanel Security Hole Exploited in Mass Hack.". The article also contains links to their earlier coverage.

"By early Saturday morning, HostGator managers were assuring users that the cause of the redirections had been isolated, and was due to a new exploit targeting cPanel.".

The article details and references a fix that is at the cPanel site.
0 comment(s)

MSN-Worms exploit MS pif filter vulnerability

Published: 2006-09-23
Last Updated: 2006-09-23 23:03:34 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Kaspersky's blog, always a great read, is reporting that there are some "epidemic level" MSN-Worms (see Do you like photos?) that "spread using links to .PIF files.". They go on to say;

"But some of you might remember that Microsoft blocked messages containing ".pif"?

Yes they have, but... the MS block is case sensitive!

So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.".

While you're there also check out their excellent Kaspersky Security Bulletin, January - June 2006: Malware Evolution released 09/22.

Thanks for the heads up Kaspersky!

And readers please remember (sticking tongue firmly in cheek) Microsoft says "Microsoft is aware of third party mitigations that attempt to block exploitation of vulnerabilities in Microsoft software. While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor. Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. Microsoft cannot provide similar assurance for independent third party security updates or mitigations."
0 comment(s)

Mailbag Q&A concerning MS Desktop Search add-on vulnerabilities

Published: 2006-09-23
Last Updated: 2006-09-23 22:58:44 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
 We received an inquiry from Ricardo Calina which asked if FolderShare (Diary item here) was  "used on the new MSN Live Messenger ?". After an inquiry to Microsoft about this and related questions (where else may it be, is it default enabled anywhere?) we received an answer that said "The one in MSN Messenger is different." and "FolderShare is not installed by default in any systems.".

Thanks for the question Ricardo, and MS, thanks for the answer!
0 comment(s)


Diary Archives