Patch Management

More malicious sites spread Internet Explorer VML exploit

September 21, 2006

More hackers are spreading exploit code designed to crash Microsoft Internet Explorer (IE) through a newly discovered unpatched vulnerability.

Microsoft posted an advisory yesterday on the buffer overflow flaw that exists in IE's vector markup language, a component of extensible markup language that specifies vector images in an XML document for display.

Since then, more malicious websites have been confirmed to be hosting exploit code, according to Ken Dunham, director of the Rapid Response Team at VeriSign iDefense.

Hackers may test and update the exploit code soon, said Dunham.

"WebAttacker, a Russian hacker-for-hire malicious code toolkit, is being used to launch current attacks in the wild. WebAttacker is an attack tool that has been popularized through the Russian underground in 2006, selling for about $250," he said. "It is able to quickly generate exploits for multiple IE and (Mozilla) Firefox vulnerabilities to effectively launch malicious code in the wild."

The exploit can be migrated by turning off JavaScript, according to numerous researchers, although that is only one of the vectors it uses for attack.

A Microsoft spokesperson said this week that the company is preparing a fix for the vulnerability that could be ready as soon as the Oct. 10 Patch Tuesday, or sooner if warranted.

The software giant encouraged users to keep anti-virus software up to date and scan for malware.

Earlier this month, hackers published proof-of-concept code for a newly discovered IE flaw, which can allow an attacker to execute malicious code on an affected machine.

Russ Cooper, senior information security analyst at Cybertrust, told SCMagazine.com today that home users are more at risk for infection than those at work.

"Anyone who's been previously infected by something will probably get infected by this, since this will be put into bots and put onto sites that have already been distributing infections for ages. You're basically talking about changing the arsenal of malicious users," he said. "It's highly unlikely that (users in) enterprises are being allowed to go to sites that are distributing this matter, but if you've had someone in an organization that's been infected by something like this, they'll probably get infected again."

Click here to email Frank Washkuch Jr.

prestitial ad