Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Yellow: MSIE VML exploit spreading - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yellow: MSIE VML exploit spreading

Yellow

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites.  The risk of getting hit is increasing significantly.

Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.

Weekends are moreover popular moments in time for the bad guys to build their botnets.

Actions

We suggest following actions (do them all: a layered approach will work when one of the measures fails):
  • Update your antivirus software, make sure your vendor has protection for it.
  • Unregister the vulnerable dll:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
  • Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Reregistering a DLL is done with the same command as unregistration, but without the "-u".

Quotes

Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and "[at] least  one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains". Those domains pointed visitors to a VML exploit. We're happy to note they join us in recommending "implementing a workaround ASAP" and see the upcoming weekend as a factor in it.

References

--
Swa Frantzen -- Section66
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!