Patch/Configuration Management, Vulnerability Management

VeriSign: Microsoft VML exploit attacks increasing; third-party patch released

Experts at VeriSign iDefense warned today that vector markup language (VML) attacks targeting Microsoft's latest zero-day vulnerability are on the rise as awareness of the flaw grows.

The researchers with iDefense said that they have monitored for VML attacks through Thursday and noted only light traffic. However, iDefense experts said that the attacks increased this morning and that attackers are using three different methods to exploit the flaw.

"VML attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of the Rapid Resonse Team at iDefense. "At least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains to redirect users to a hostile VML exploiting website."

Microsoft, however, denied that such an increase of activity surrounding the flaw is occurring.

"Attacks remain limited," wrote researcher Scott Deacon in the Microsoft Security Response Center blog. "There's been some confusion about that, that somehow attacks are dramatic and widespread. We're just not seeing that from our data, and our Microsoft Security Response Alliance partners aren't seeing that at all either. Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability."

Deacon said that if Microsoft can test for patch quality quickly enough it will release the patch out of cycle. In the meantime, Dunham and other experts recommend implementing a workaround as soon as possible.

Among several of the suggested workarounds is a third-party patch that was created by the Zeroday Emergency Response Team (ZERT). However, Microsoft and some security gurus advise caution with this patch.

"If you are an individual user, it is probably ok to add the patch," said Eric Sites of Sunbelt Software . "If you are a large IT organization it is probably not good to use the patch because it could cause issues when you go to install the real patch. "

The workaround that Sites recommended is to create a Group Policy Object entry to unregister the affected DLL file until Microsoft releases the patch. However, he does warn that there are reported problems for machines using Peachtree accounting software if this file is deactivated.

Click here to email West Coast Bureau Chief Ericka Chickowski.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.