0-day MS Explorer / Outlook Exploit in the Wild (VML Buffer Overflow) - CRITICAL
Quote:
Sunbelt Software is reporting a previously unknown, and unpatched, MS Explorer / Outlook exploit in the wild. It is currently being used to push spyware and to create botnet zombies. This is the 2nd 0day IE exploit so far this month. Rated Extremely Critical - Several updates below. Confirmation that this can spread via email.
The exploit is being used to launch drive-by malware downloads that are hijacking Windows machines for use in botnets. These botnet computers (what use to be your computer) are normally used to distribute spam and as launching points for illegal activities. But the exploit can be used to install arbitrary executable code so anything is possible.
This exploit has been confirmed on a fully patched Windows XP computer with SP2 and IE 6.0. It most likely runs on some previous OS versions / patch versions as well. The vulnerability is a buffer overflow in the way Internet Explorer handles VML (Vector Markup Language) code. VML is basically an XML file presented to your browser that contains a vector drawing.
Update:
* This vulnerability is being actively exploited on malicious websites. Here is what Microsoft is saying: "compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability". Meaning? Avoid websites that allow just anyone to post HTML content. (this site allows text only)
* Apparently Outlook and/or Outlook Express is vulnerable as well. From Microsoft: "In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability." See advisory below. If this is the case this may go big time very quick. Check back here frequently for updates or switch to plain text email only. (update: Outlook and Outlook Express are vulnerable, see link below)
There are no fixes available at this time and a "killbit" won't be an option (since the vulnerability is not based off of ActiveX like this month's previous exploit). The exploit can be mitigated by turning off JavaScript (though this does not fully mitigate all avenues of attack). It does not affect Firefox, Opera, or other non-Internet Explorer based browsers so these are effective tools for mitigating this IE vulnerability. (Update: Microsoft has issued some workarounds but hinting at the severity of the problem some of the workarounds are not for the feint of heart
http://www.nist.org/news.php?extend.171
http://www.frsirt.com/english/advisories/2006/3679
http://xforce.iss.net/xforce/alerts/id/237
http://blog.washingtonpost.com/secur...t_explore.html
Again.. Second 0-day exploit out...
Greeting's
:o
I had earlier posted about an exploit for new and UNPATCHED vulnerability affecting IE.
Here is an ACTIVE exploit that is doing rounds... It is not yet detected by any anti-virus except *cough* Microsoft *cough* *cough* *cough*
Anyway you can get more information here... I'm not making this a extensive write-up because I know most of you use other browser then IE and for those who dont please do.. OR reconfigure your IE.
Simple solution :
Unregister the vgx.dll:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
To reverse this: run the command without the -u. Ever since the WMF issue around new year we know unregistering DLLs isn't for the faint of heart. Even if Microsoft recommends it.
Oh ya this is a good line :
Quote:
Please note that Microsoft claims to be going to release a fix October 10th (in cycle) or earlier depending on customer need.
Links :
http://vil.nai.com/vil/content/v_140629.htm
http://www.symantec.com/enterprise/s...801-99&tabid=2
http://www.trendmicro.com/vinfo/viru...OD%2EA&VSect=T
http://www.microsoft.com/technet/sec...ry/925568.mspx
http://www.kb.cert.org/vuls/id/416092
** Heads Up ** Ie Again..
Greeting's
Okay this time I have to repeat same thread because its now really serious (WIDESPREAD).
Quote:
The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.
If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.
Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.
Weekends are moreover popular moments in time for the bad guys to build their botnets.
Workaround :
Quote:
* Update your antivirus software, make sure your vendor has protection for it.
* Unregister the vulnerable dll:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
* Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Reregistering a DLL is done with the same command as unregistration, but without the "-u".
Last time ISC's Infocon went Yellow was WMF exploit came out.. So keep sharp.. Or better just use different Browser.
Be safe..
All the Links you need :
http://www.kb.cert.org/vuls/id/416092
http://www.auscert.org.au/render.html?it=6771
http://www.snort.org/rules/advisorie...006-09-21.html
http://www.websense.com/securitylabs...hp?AlertID=632
http://vil.nai.com/vil/content/v_140629.htm
http://www.symantec.com/enterprise/s...801-99&tabid=2
http://www.trendmicro.com/vinfo/viru...OD%2EA&VSect=T
http://www.pandasoftware.com/virus_i...idvirus=130801
http://www.f-secure.com/weblog/archi....html#00000974
http://www.antionline.com/showthread...hreadid=276612
PS : Last link here is to a thread in AO. Its only required :
if you feel your wife whine's a lot
or if you feel your grammer is bad
or that all the NUTS in this world are dead (and to prove yourself otherwise)
or that AO sucks now
or that Most of the fools with 11 green dots have no knowledge
or you have missed JP's gold dot for a long time (JP seriously with all due respect, no hard feeling)
or If you want some POSITIVE antipoints either in the thread or just make partership..
or if you are finally tiered with windows and want to go and kill everyone at Microsoft but want a reason why you shouldnt
or if French have finally won a war