RealTime IT News

IE Vulnerability Spreads To Email

The VML exploit found earlier this week could prove to be a severe problem because it can take initiative without requiring any action on the part of the user. But so far Microsoft does not appear to be a big rush to fix the problem.

Microsoft  has acknowledged reports from antivirus and anti-spyware vendors of the vulnerability in the Vector Markup Language (VML) used in Windows.

For now, Microsoft has published a Security Advisory, which provides steps customers can take to protect themselves.

A security update is now being finalized, but at this point, Microsoft plans to release it as part of its October security updates on October 10, three weeks away. A Microsoft spokesperson confirmed late Wednesday when asked by internetnews.com that the fix would come next month, not sooner.

Microsoft has dragged its feet on exploits before. When the WMF virus was found in late December, Microsoft was initially slow to release a fix but eventually did so ahead of schedule due to customer pressure.

Eric Sites, vice president of research & development at Sunbelt Software, which first found the exploit, said Microsoft should not wait on a patch.

"I expect over the next week there will be an exponential growth in the number of Web sites using this to push malware  on people," he said. "It can be worse than the WMF virus because you couldn't exploit WMF through email. All it takes is a couple guys with spam and the bad guys have a very efficient delivery system with these bots."

Originally, the exploit was found on porn Web sites, but the iDefense team at VeriSign has found code that can be executed within an email client; all you have to do is use the preview function in an email client, you don't even have to open the letter or click on a link, the most common means of infecting a computer.

According to Ken Dunham, director of the Rapid Response Team at iDefense, email is rendered in Outlook with Internet Explorer. That's how it handles scripts and embedded code, like HTML. When you preview it, the hostile code can execute and hit the VML problem.

And Dunham said this code is spreading among underground virus sites quickly. "The exploit code is out there for people to copy, paste and start using. It's trivial to leverage and reproduce. When it's popularized and easy to do, it's trouble," he said.

The VML exploit is a buffer overflow that allows for remote code execution, and in this case, it's being used to download multi-stage, multi-chain attacks using a program called WebAttacker toolkit.

Dunham said in one case, WebAttacker installed 73 files, including 15 executables, taking up 12 megabytes in size. It installed everything from proxies to dialers to keyloggers to spyware.

Sites also thinks this virus could be as nasty as WMF, if not worse. "Just looking at an email means you can be exploited. So things can escalate very quickly," he said.

The WebAttacker toolkit was created by the same hackers that found the VML exploit, said Sites, and now more than 1,000 use this kit. WebAttacker is designed to bake a URL into a set of scripts, each encoded differently. It figures out which browser and patches you have and serves different scripts based on your browser and patch level.

Sunbelt has given all the anti-virus vendors a copy of the scripts and notified them about WebAttacker. But for now, the best way to protect yourself is to unregister the VML DLL on your computer. It means you can render some VML code in your default browser or email, but its use is minor.

The process is a single step, documented in a Sunbelt blog posting. Sites said the company has found it to be totally reliable in protecting the computer from an attack.