What’s the problem? A vulnerability newly discovered in Microsoft Internet Explorer could allow an attacker to take over a targeted machine — even a machine with all its patches up-to-date.
What’s it called? The Common Vulnerabilities and Exposures list tentatively designates this vulnerability as CVE-2006-4868. McAfee calls it Exploit-VMLFill; Trend Micro calls it EXPL_EXECOD.A; Symantec calls it Trojan.Vimalov, reflecting its probable Russian origin. SecurityFocus assigns it a Bugtraq ID of 20096.
Which programs and versions are affected? Internet Security Systems reports that the flaw affects all versions of IE that include support for VML, which means versions 5 and 6, though tests so far have generally looked at version 6. There have been no reports of the attack working on IE 7. Recent versions of Outlook and Outlook Express are also vulnerable, as are all versions and service packs for Windows 2000 and XP. (IE on Win2003 runs by default in a restricted mode, in which certain binary and script behaviors are disabled; if those settings have been changed the system may be vulnerable.)
Are Mac, Linux or Unix systems vulnerable? What about Firefox? No, no, no and no. (Something Firefox aficionados are trumpeting loudly over in the SunbeltBlog comments That’s not winning many popularity contests.)
How is the vulnerability exploited? So far, the exploit has been found in the wild on a handful of Russian sites, mostly porn-related. Propagation is via the usual routes, particularly e-mail, though IM or any service by which an HTML link can be sent will do. Users must click on an HTML link to load the affected document. Outlook or Outlook Express users who automatically open HTML messages are also at risk.
What’s the sequence of events? Security veterans won’t be surprised to learn that we have yet another buffer-overflow attack here. The buffer is deluged and overflows, pushing JavaScript shell code into adjacent buffers for execution. The code downloads a piece of malware and saves it to the hard drive as CPU.exe, after which Internet Explorer generally shuts down.
What’s the payload? Depends, but the vulnerability can allow attackers to take complete control of the machine so the potential for mayhem is high. Most attacks so far are recruiting PCs into botnets, presumably to be used for other attacks or malware propagation at a later date. They’re also depositing a stunning amount of adware on victimized machines, as Sunbelt researcher Adam Thomas described in a blog posting. The potential for trouble, rather than the current infection rate, is why organizations such as Secunia are concerned at the moment.
When can I expect an official patch? Microsoft, in a security advisory released yesterday, says it’s working on a patch that’s in the final stages of compatibility testing. The company expects to release it with the October “Patch Tuesday” set scheduled for the 10th of the month.
That long?! So far, it doesn’t appear that we’ve got another Windows Metafile zero-day mess on our hands, not least because the vulnerability was apparently obscure for quite some time. (More on the discovery process below.) If things heat up, Microsoft says it’ll work to release the patch earlier.
Is that likely? Chris Mosby’s blog says that Web Attacker, the notorious toolkit for Trojans, has been updated to include support for exploiting the vulnerability. Not a good sign.
What can I do in the meantime? Simply put: Turn off JavaScript execution, since the code inserted in the buffer overflow is a JavaScript. More fully, Microsoft and independent experts are recommending that admins (and users with admin privileges) temporarily unregister vgx.dll, the affected library, with the following command:
regsvr32 -u “%ProgramFiles%\CommonFiles\Microsoft Shared\VGX\vgx.dll”
After the DLL is unregistered, reboot the computer. Once a patch is available, the DLL may be re-registered at your convenience. Security expert Jesper Johansson has posted some useful templates, using Group Policy, for fast fix deployment in Windows domains.
Microsoft says that Windows Live OneCare users who currently have green status are protected from all known malware, and recommends that all users check that their antivirus protections are up to date. Antivirus software that includes protection against buffer overflows appears to protect against the exploit.
If vgx.dll is crucial to your users, the Access Control List for the DLL may be modified to forbid access to the ‘everyone’ group.
Microsoft suggests those using IE 6 for XP Service Pack 2 can protect themselves by disabling binary and script behaviors in the Internet and Local Internet security zones. Those setting are reached through the Tools –> Internet Options — > Security –> (zone) –> Active X controls and plug-ins for both zones.
(Several observers have noted that Microsoft is clearly taking the problem seriously, as it’s rare for the company to recommend disabling functionality in their products, even temporarily!)
What does vgx.dll do? Practically speaking, not much. It’s a dynamic link library supporting VML, the hypertext markup language that handles the display of vector graphics. The VML proposal has been around since 1998, but it’s not very widely used online. It’s unlikely that most users will even know it’s (temporarily) not supported by their IE browser.
Hasn’t vgx.dll been involved in security advisories before? Good memory. It was indeed one of the buffers affected in certain versions of Windows when the 2004 .jpeg processing buffer-overflow problem covered in MS04-028 was spotted.
Who found the flaw? Funny you should ask. Sunbelt first noticed the exploit in the wild around noon on Monday and posted the code to a private mailing list of security professionals, who began the vetting process. According to Alex Eckleberry at Sunbelt, this was the first the security professionals on their (closed, vetted) list had heard of the vulnerability. However, Eckleberry found out later in the day that ISS has apparently been aware of the exploit for some time and has been working with Microsoft on a fix; That organization issued an advisory on Tuesday.
Obfuscation? Responsible disclosure? In the words of Eckleberry, “Whatever.” CERT’s notes on the situation credit Sunbelt with the find at this web site.