We got multiple readers telling us in they noticed reports about a new MSIE
0-day "actively exploited unpatched vulnerability" against VML. VML stands for Vector Markup Language and is basically a XML file delivered to your browser containing a vector drawing. It was
submitted to W3C in 1998.
This 0-day apears to be different from
last week's 0-day abusing daxctle.ocx (BTW: it's still unpatched).
The CVE candidate number CVE-2006-3866 initially promoted has been rejected,
CVE-2006-4868 is the right one.
Detection:
| Antivirus |
Version |
Update |
Result |
| AntiVir |
7.2.0.16 |
09.19.2006 |
no virus found |
| Authentium |
4.93.8 |
09.19.2006 |
no virus found |
| Avast |
4.7.844.0 |
09.19.2006 |
no virus found |
| AVG |
386 |
09.19.2006 |
no virus found |
| BitDefender |
7.2 |
09.19.2006 |
no virus found |
| CAT-QuickHeal |
8.00 |
09.18.2006 |
no virus found |
| ClamAV |
devel-20060426 |
09.19.2006 |
no virus found |
| DrWeb |
4.33 |
09.19.2006 |
no virus found |
| eTrust-InoculateIT |
23.72.128 |
09.19.2006 |
no virus found |
| eTrust-Vet |
30.3.3086 |
09.19.2006 |
no virus found |
| Ewido |
4.0 |
09.19.2006 |
no virus found |
| Fortinet |
2.82.0.0 |
09.19.2006 |
no virus found |
| F-Prot |
3.16f |
09.19.2006 |
no virus found |
| F-Prot |
44.2.1.29 |
09.19.2006 |
no virus found |
| Ikarus |
0.2.65.0 |
09.19.2006 |
no virus found |
| Kaspersky |
4.0.2.24 |
09.19.2006 |
no virus found |
| McAfee |
4855 |
09.19.2006 |
no virus found |
| Microsoft |
1.1560 |
09.19.2006 |
Exploit:HTML/Levem.C |
| NOD32 |
v21.1763 |
09.19.2006 |
no virus found |
| Norman |
5.90.23 |
09.19.2006 |
no virus found |
| Panda |
9.0.0.4 |
09.19.2006 |
no virus found |
| Sophos |
4.09.0 |
09.19.2006 |
no virus found |
| Symantec |
8.0 |
09.19.2006 |
no virus found |
| TheHacker |
6.0.1.073 |
09.19.2006 |
no virus found |
| UNA |
1.83 |
09.19.2006 |
no virus found |
| VBA |
323.11.1 |
09.19.2006 |
no virus found |
| VirusBuster |
4.3.7:9 |
09.19.2006 |
no virus found |
This was for a sample on the 19th, detection will obviously improve as Virustotal shares samples with the antivirus vendors involved.
Solutions:
Exploits
There are a number of exploits circulating, they come from multiple domains and currently use javascript to obfuscate the code itself. However the exploit itself does not need javascript it seems.
The exploits load a truckload of other malware (for profit of course). One of the main domains involved is "insorg.org" but other more adult entertainment related sites are involved in exploiting victims as well.
Since this exploit seems to be rather easy to recreate once there is a sample, there is no end to how and where it can and will be used. We'd not be surprised to see it appear soon in more mainstream public sources of exploits.
URLs
Please note that Microsoft claims to be going to release a fix October 10th (in cycle) or earlier depending on customer need. Perhaps it's time to let them hear your need.
Thanks to all who sent in a note about this.
--
Swa Frantzen --
Section 66
