VML Exploit Patched, Questions Remain

UPDATED: Microsoft released a patch for a VML flaw being

The out-of-cycle security bulletin was released “in
response to malicious and criminal attacks on computer users that
were recently discovered,” according to a spokesperson.

After Russian hackers used an underground toolkit last week to
compromise host providers and 45 networks, security companies still
see the onslaught continuing.

First revealed last week, the exploit uses a buffer overflow error in
the Vector Markup Language (VML) library to execute remote code.

At its high point between Thursday and Saturday, the exploit took
control of 45 networks, thousands of domains and potentially a half-million Web sites.

Each include malicious code, according to Ken
Dunham, director of the rapid response team at VeriSign’s iDefense.

Now Sunbelt Software, the company that announced the VML flaw in IE,
said the Web attacks are morphing to e-mail phishing attempts.

The new
attacks use an error in the DirectAnimation Path ActiveX control
enabling hackers to plant malware and Trojans in systems visiting
malicious Web sites.

The new attacks come disguised as e-mail alerting users
they’ve received a Yahoo Greeting Card, according to Websense.

However, the site downloads an IE Browser Helper Object that
redirects information entered in any form to a third-party.

Websense vice president of security research Dan Hubbard expects the
next wave of attacks to concentrate on Web servers used by high-profile sites. Along with a patch, Hubbard suggests Outlook users
disable the preview frame.

Dunham said he was tracking 3,000 Web sites still using the Russian
Web-Attacker toolkit.

However, the security expert believes e-mail-based exploits are now likely, including phishing scams hoping to
gain financial information from consumers.

Microsoft, unavailable for comment, said Friday in a blog post it was working on an update to address the new vulnerability, yet
countered reports that attacks were widespread.

“Attacks remain limited,” wrote Scott Deacon, Microsoft Security
Response Center Operations Manager. Deacon said “there’s been some
confusion about that.”

Microsoft said it was “working non-stop” on an update and was
evaluating whether to issue an out-of-cycle update. The next
scheduled update is set for Oct. 10 as part of the monthly “Patch
Tuesday” event.

Last week, Microsoft updated a security advisory suggesting to users how to prevent the exploit.

However, it is likely the software maker will release an update as
early as this week, Dunham said.

But with a continued threat and no assurance Microsoft will release a
fix soon, Dunham advises consumers to install a third-party patch from the Zero-day Emergency
Response Team, or ZERT.

While companies may want to rely on their own security guidelines and
Microsoft, the reality for consumers is that they are forced to consider the unofficial patch, according to Dunham.

The security researcher has
tested the patch and found it doesn’t contain malicious code.

Although the recent scare was public, Dunham believes the next
attacks will be silent and taught hackers a lesson.

“The bad guys know it’s trivial to do,” he said.

News Around the Web