Microsoft advisory on VML hole
Microsoft has released an advisory regarding the recently announced VML hole in Internet Explorer. It provides the company's first confirmation that attackers could use specially crafted vector graphics in websites and emails to plant arbitrary code and in some circumstances even gain full control of vulnerable systems. The company warned in particular against the possibility that rigged ad banners could be used to sneak the malware onto PCs. Websites in which visitors can set their own image files could also serve as a transfer medium for the manipulated VML files.
Avert Labs, run by antivirus software maker McAfee, is also reporting that the hacker toolkit WebAttacker has been expanded to include a VML exploit. WebAttacker makes it easy to generate just the kind of manipulated websites that can sneak malware onto computers visiting with vulnerable browsers. The toolkit is available on the black market for around 15 euros. It stands to reason that in the coming days more and more websites with embedded VML exploits will turn up.
Microsoft indicates that one potential workaround is to deactivate the vulnerable vgx.dll library. To do so, click on "Start" and "Run" and enter the command
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
After confirmation and a restart of the computer, the system is no longer vulnerable. One side effect of the de-registration of vgx.dll is that the PC can no longer display VML files; in practice this may well be hardly noticeable, however. Presuming that Microsoft releases a patch on the coming October Patch Tuesday, the library can be reactivated by entering the same command as above only without the "-u" option.
According to a test by the Internet Storm Center, Microsoft's OneCare Live is currently the only AV product capable of recognising VML malware. The related hole is in fact only one of four different unresolved vulnerabilities in Microsoft products that could allow for the planting of arbitrary code: patches remain outstanding for PowerPoint, Word and daxctle.ocx in IE.
- Vulnerability in Vector Markup Language Could Allow Remote Code Execution, advisory from Microsoft
- New unknown holes in Internet Explorer already being exploited at heise Security