Exploits old and new for holes in Windows
According to reports in the US media, security service provider Immunity says it has developed an exploit that takes complete control of a Windows PC through a hole in the VML parser used by versions 6 and 7 of Internet Explorer; the hole was made public last Patch Tuesday. All the user needs to do to allow this is visit a malicious website.
However, Immunity is only offering its exploit to customers who take part in its fee-based partner program, where they use it to build signatures for intrusion detection systems and tools for penetration tests. At present, the exploit reportedly only works on Internet Explorer 6, though a version for IE 7 is being worked on.
But Immunity's exploit is not the first one for the VML hole. In a Security Bulletin, Microsoft writes that the hole was already being exploited before the patch was released, though the firm does not say by whom and how frequently. Users are advised to install the patch as quickly as possible.
In addition, an exploit for a problem made public in August of 2006 in the version of Windows Explorer used in Windows XP has popped up again: prepared WMF images can cause the program to crash. According to analyses, the crash is caused by a call of the function CreateBrushIndirect with a corrupted LOGBRUSH structure, causing a pointer to refer to memory that has not been initialized. Windows Explorer then crashes. All the viewer needs to do is preview a WMF image, for instance by opening the folder containing the prepared WMF image.
Although neither the hole nor the exploit is new, they are once again both drawing great attention because Bugtraq has taken them up again in its flaw database. Fortunately, no malicious code can be executed because the hole does not allow code to be injected into memory. In other words, the vulnerability can only be exploited for DoS attacks. No patch has yet been made available.
- WMF CreateBrushIndirect vulnerability (DoS), entry at Bugtraq