Yellow: MSIE VML exploit spreading
History
We've refreshed this article for those of you checking in on their Monday morning as a reminder. On Friday 22nd (and for some of our readers past their working day), we have raised our Infocon to Yellow for 24 hours in order to increase the awareness of the problem and call for action. We went back to Green -as intended- after 24 hours.New versions of exploits continue to be released publicly. We also still get new sites detecting exploits and reporting this to us. There is still reason to act if you haven't done so yet. This exploit is one that's going to stay with us, so you do need protection. Waiting will not make the problem go away.
Reason for Yellow
The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.
Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.
Weekends are moreover popular moments in time for the bad guys to build their botnets.
Actions
We suggest following actions (do them all: a layered approach will work when one of the measures fails):- Update your antivirus software, make sure your vendor has protection for it (*).
- Unregister the vulnerable dll (**):
regsvr32 /u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
And reboot the machine to make sure all in memory copies are gone as well.
- Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Quotes
Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and "[at] least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains". Those domains pointed visitors to a VML exploit. We're happy to note they join us in recommending "implementing a workaround ASAP" and see the upcoming weekend as a factor in it.References
- US-CERT Vulnerability Note
- Jesper Johansson's blog, which contains interesting ideas about work-arounds
- AusCERT Alert (phishing like technique)
- Microsoft Security Advisory 925568
- Blocking VML using a GPO (use the magic incantations at own risk)
- Snort VRT
- Websense
- Websense movie of VML infection with spyware keylogger
- McAfee
- Symantec
- Trendmicro
- Panda
- F-secure
- Sophos
- xforce.iss
- CA exploit detection
- CA has a writeup analyzing one of the attacks
- Sept. 24th diary
- Sept. 23rd diary
- Sept. 21st diary
- Sept. 19th diary
(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
(**): There are a few rare reports of relatively uncommon applications out there that suffer from disabling this DLL, so check your mission critical applications before disabling it. Since VML never made it as a standard, it is not widely used at all. Using it means the web site does not work properly in other browsers.
--
Swa Frantzen -- Section66
×
Diary Archives
Comments