Yellow
The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.
If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.
Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.
Weekends are moreover popular moments in time for the bad guys to build their botnets.
Actions
We suggest following actions (do them all: a layered approach will work when one of the measures fails):
Update your antivirus software, make sure your vendor has protection for it.
Unregister the vulnerable dll:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Reregistering a DLL is done with the same command as unregistration, but without the "-u".
References
US-CERT Vulnerability Note
auscert Vulnerability Note (phishing like technique)
Microsoft Security Advisory 925568
Blocking VML using a GPO (use the magic incantations at own risk)
Snort VRT
Websense
McAfee
Symantec
Trendmicro
Panda
F-secure
xforce.iss
Sept. 21st diary
Sept. 19th diary
Reply With Quote