VML zero-day attack targets Windows

By Matt Whipp

Posted on 20 Sep 2006 at 16:59

Security specialist Internet Security Systems (ISS) has issued an alert for a zero-day attack targeting an unpatched vulnerability within all service pack versions of Windows 2000, XP and Server 2003.

The problem is a stack overflow when handling Virtual Markup Language (VML) files - an application of XML that includes vector data and information on how to display it.

Successful exploitation of the vulnerability would allow an attacker to gain access to the target system with the same privileges as the user - usually admin level for Windows users - and includes the potential to remotely run code.

The attack could be launched from a specially crafted HTML page either hosted on a website, or sent via an HTML email.

ISS says it was first alerted to the problem 12 September, when intrusion detection systems used by its customers began firing up alerts to a website hosting exploits for this vulnerability.

Subsequently, by 16 September, ISS's Web content filtering services had identified new websites hosting the same exploit code.

James Rendell, Senior Technology Specialist at ISS said: 'This is a classic case of a zero day vulnerability.'

Despite the broad range of systems potentially at risk under the vulnerability, Microsoft, which was told of the problem 18 September, describes the attacks as 'targeted and very limited'. It acknowledges, however, that 'the vulnerability is being actively exploited'.

Even so, Redmond has no plans to issue a public patch for this until its next round of security bulletins, due out 10 October.

It says it is already working on an update. And in a case where such a vulnerability had not been made public, let alone been shown to be prey to existing exploit code, it would be normal practice to spend time ensuring that the patch released would be compatible with the various configurations of the affected Microsoft software.

But with a window of nearly three weeks to play with, attackers also have a long window of opportunity.

Microsoft is advising customers to turn off the VML component until a patch has been issued, set Outlook to only display text and, for IE 6 with Service Pack 2, disable Binary and Script Behaviors in the Internet and Local Intranet security zone.

However, speaking from a personal point of view, Rendell was intrigued by Microsoft's reaction.

'It's interesting when you contrast this with the recent media player DRM hacks. Microsoft got out a patch for that within three days. There's a clear economic incentive. It's interesting that they can react very quickly in that scenario,' he said.

ISS customers have been protected from attacks exploiting the flaw since March said Rendell.