Printed from www.pcpro.co.uk
Security firm beats Microsoft to patch VML hole
Posted on 25 Sep 2006 at 12:43
A group of security researchers known as the Zeroday Emergency Response Team (ZERT) has issued a patch for the Vector Markup Language (VML) flaw in Internet Explorer.
The patch is unsupported, and ZERT warns that although the patch is tested, it is provided 'as-is with no guarantee as to fitness for your particular environment. Use them at your own risk or wait for a vendor-supported patch'.
Microsoft's Scott Deacon, from the Microsoft Security Response Center, said that 'We think it's great that there are people out there working to help protect our customers. But ... we cannot endorse third party updates.'
He said that the team was working around the clock to have a patch available quickly and was confident that progress had been made that would mean a fix which passes stringent quality and compatibility tests would be available before the next round of security bulletins, due 10 October.
Pressure is mounting on Microsoft to come up with a fix and fast. Security researchers at Sunbelt and Internet Security Systems - the first to discover the vulnerability - have identified numerous websites hosting exploit code. According to Sunbelt, an entire ISP has been hacked and a number of its websites hijacked to host exploits. Sophos too counts Troj/Dloadr-ANO, Troj/Goldun-EC and Troj/Goldun-ED among the threats being used in such attacks.
However, in spite of masses of activity by the virus underground in the wake of the security revelation, there is no evidence as yet of large scale successful attacks on end-users. To be successful, an attacker has to persuade their victim to visit a website that hosts exploit code as it cannot be done automatically.
'Attacks remain limited,'said Deacon. 'There's been some confusion about that, that somehow attacks are dramatic and widespread. We're just not seeing that from our data, and our Microsoft Security Response Alliance partners aren't seeing that at all either.'
Sunbelt's Alex Eckelberry added hackers writing exploit code for vulnerabilities is no reason to panic: 'It's an exploit. And it works. What else do you expect hackers to do? The world isn't coming to an end though. Just take your normal precautions.'
Successful attacks however, would potentially render complete control of the target system, including the ability to run code remotely. Websense has a movie of an attack in action.
A workaround for the VML flaw is to simply unregister VGX.DLL and set Outlook to only display email in plain text until an official update becomes available.
Author: Matt Whipp and Steve Malone
advertisement
- Motorola pays Lucas for its Droid
- Where are the killer apps for Windows?
- Will you hit the Orange iPhone "unlimited" cap?
- USB 3 first benchmark - it's here, and it's fast
- Why Windows 7 has forced me to worry about security
- How Dixons is (under)selling Windows 7
- Do I like Windows 7 because it's so like a Mac?
- No Windows 7 drivers turn Dell M1330 into a doorstop
- Is Windows 7 good looking enough to sway an Apple fan?
- Typekit brings print-like typography to the web
- Avira Premium Security Suite 9
- ZoneAlarm Internet Security Suite
- Webroot Internet Security Essentials
- Trend Micro Internet Security
- PC Tools Internet Security 2009
- Panda Internet Security 2009
- Norton Internet Security 2009
- Kaspersky Internet Security 2009
- F-Secure Internet Security 2009
- Eset Smart Security
- BitDefender Total Security 2009
advertisement
