VML Exploits Are Ugly and Pervasive

For several days we have been monitoring the explosion of the VML 0-day for Internet Explorer. It has become clear that this is a significant exploit.

Attackers began almost immediately to spread and improve the exploit once it was published. It was quickly included into several vulnerability and exploit tools. It took a suprisingly short amount of time for the incidents to begin to pop up around the Net.

The fact that Outlook is also vulnerable added to the fuel of the underground, as attackers with all kinds of motives began their assaults. They continue, even as I write this.

The exploit is ugly and dangerous. It has multiple attack vectors, including web and email, and attackers have refined the code until they now have the capability to do proper version checking and adapt the exploit to a variety of platforms.

Currently, some AV vendors have been less successful in defending against this problem than others. Many AV vendors are working hard to keep up with the ever changing set of binaries that the exploit examples download after the exploit runs. We all know this is admirable, but a losing battle. Truly resourceful attackers will grab code that is in no database, and even basic attackers will be able to modify existing tools to bypass the rudimentary checks many vendors are using.

In the meantime, the workaround is continuing to be used and refined as well. If you can get by without VML, unregister the DLL to protect yourself and your organization. Security teams should be making this decision quickly, as it may already be too late.

The last we heard, Microsoft is scheduled to release the official patch on Oct. 10. This means there is still plenty time for attackers to identify, target and exploit users around the world. The work around may be the best defense until the patch becomes available.

Stay tuned to your normal security intelligence sources for more information as it becomes available. Check out WatchDog if you are looking for such a source. It is available FREE from http://www.microsolved.com/watchdog

This entry was posted in General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Leave a Reply