RealTime IT News

VML Exploit Patched, Questions Remain

UPDATED: Microsoft released a patch for a VML flaw being exploited.

The out-of-cycle security bulletin was released "in response to malicious and criminal attacks on computer users that were recently discovered," according to a spokesperson.

After Russian hackers used an underground toolkit last week to compromise host providers and 45 networks, security companies still see the onslaught continuing.

First revealed last week, the exploit uses a buffer overflow error in the Vector Markup Language (VML) library to execute remote code.

At its high point between Thursday and Saturday, the exploit took control of 45 networks, thousands of domains and potentially a half-million Web sites.

Each include malicious code, according to Ken Dunham, director of the rapid response team at VeriSign's iDefense.

Now Sunbelt Software, the company that announced the VML flaw in IE, said the Web attacks are morphing to e-mail phishing attempts.

The new attacks use an error in the DirectAnimation Path ActiveX control enabling hackers to plant malware and Trojans in systems visiting malicious Web sites.

The new attacks come disguised as e-mail alerting users they've received a Yahoo Greeting Card, according to Websense.

However, the site downloads an IE Browser Helper Object that redirects information entered in any form to a third-party.

Websense vice president of security research Dan Hubbard expects the next wave of attacks to concentrate on Web servers used by high-profile sites. Along with a patch, Hubbard suggests Outlook users disable the preview frame.

Dunham said he was tracking 3,000 Web sites still using the Russian Web-Attacker toolkit.

However, the security expert believes e-mail-based exploits are now likely, including phishing scams hoping to gain financial information from consumers.

Microsoft, unavailable for comment, said Friday in a blog post it was working on an update to address the new vulnerability, yet countered reports that attacks were widespread.

"Attacks remain limited," wrote Scott Deacon, Microsoft Security Response Center Operations Manager. Deacon said "there's been some confusion about that."

Microsoft said it was "working non-stop" on an update and was evaluating whether to issue an out-of-cycle update. The next scheduled update is set for Oct. 10 as part of the monthly "Patch Tuesday" event.

Last week, Microsoft updated a security advisory suggesting to users how to prevent the exploit.

However, it is likely the software maker will release an update as early as this week, Dunham said.

But with a continued threat and no assurance Microsoft will release a fix soon, Dunham advises consumers to install a third-party patch from the Zero-day Emergency Response Team, or ZERT.

While companies may want to rely on their own security guidelines and Microsoft, the reality for consumers is that they are forced to consider the unofficial patch, according to Dunham.

The security researcher has tested the patch and found it doesn't contain malicious code.

Although the recent scare was public, Dunham believes the next attacks will be silent and taught hackers a lesson.

"The bad guys know it's trivial to do," he said.