Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Yet another MSIE 0-day: VML SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yet another MSIE 0-day: VML
We got multiple readers telling us in they noticed reports about a new MSIE 0-day abusing VML. VML stands fot Vector Mackup Laqnguage and is basically a XML structure. It was submitted to W3C in 1998.

This 0-day apears to be different from last week's 0-day abusing daxctle.ocx (BTW: it's still unpatched).

The researchers claim it allows remote code injection (i.e. anything the local user could do).

Since we know of no killbit or other easy solution, your options are limited in mitigating this attack. And with a possible solution far off, looking into alternate browsers isn't the worst way to spend the next half hour.
One of the easaiest ways to make it work might be to use Firefox with a plugin to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences. If you do go that road, also add noscript, and a toolbar to block funny sites.
See also the diary on diversity.

There is some posibility to lessen the impact by reducing the rights the user has but it'll only mitigate drive-by shootings at best. The targeted attacker is probably more than happy to get the rights (and access to information) the user has as part of his/her daily tasks.

Thanks to all who sent in a note about this.

Update:
We have recieved requests for additional background information.  Today's  US-CERT Vulnerability Note provides useful background offering links to the specific vulnerable technology.

--
Swa Frantzen -- Section 66
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!