Just catching up on the days VML vulnerability news from today…. It looks as though… the exploit is now MUCH more widespread this blog has some video of an infection, what’s notable is that the first take was VERY UNEVENTFUL, it was used to stealthily install a keylogger. (So that they can harvest paypal/bank/etc. passwords…) So, there might not be a big red “you’re owned” sign pop up. Sunbelt reported on a test page to visit to see if you’re vulnerable. The direct link is http://www.isotf.org/zert/testvml.htm (Will crash IE if it’s vulnerable.)
There is an unofficial patch available from a new group known as ZERT (zeroday emergency response team.) (Microsoft is not recommending the unofficial patch of course.) Microsoft DID come out and suggest that an out of cycle patch is a possibility. They don’t seem to see the presense of the exploit as widespread yet. Incidents.org went to yellow as the exploit became more widespread…. Someone, I’m sure will pass that along to Microsoft… It should be noted that email clients are also vulnerable (Outlook 2003 for instance), so be careful with unexpected emails…
And on the “widespread” use of the exploit there’s this from SANS as well..
Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and “[at] least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains”. Those domains pointed visitors to a VML exploit. We’re happy to note they join us in recommending “implementing a workaround ASAP” and see the upcoming weekend as a factor in it.
Disturbing to say the least. Watch out for the possibility then of legitimite sites hacked to include very subtle exploit induced keylogger installs. Either unregister the dll affected or think about using the unofficial patch (or an alternative browser) until Microsoft sees the need to go out of cycle and get a patch out the door.
(Editorial note – Still no word on any exploits being used to remove DRM from windows media files…. that would speed things up. Sorry, I couldn’t resist.)
Brian Krebs at the Security fix brings us more details on the hosting provider attack, saying that Host Gator had numerous accounts altered in the attack, they’re cleaning up. There’s also this…
AusCERT, the Australian Computer Emergency Response Team, said it has seen widespread e-mails urging users to click on links to Web sites that exploit the flaw to install malicious software.
Some malicious sites appear to be using the exploit to silently install spyware and adware, while others are seeding visitors’ Windows machines with hard-to-remove keystroke loggers or “form grabbers” designed to steal username, password and financial data when users enter data at bank or e-commerce Web sites.
So confirmation of the email vector and the silent installs. In other words, it may take a while to become aware of the full impact of this (keyloggers may remain undetected on some systems for a LONG time.)
There’s also an investigation of Webattacker which is a tool sold for $20 that has all sorts of ill uses. (Fake sites for identity theft, spyware/adware delivery, etc.)
In many ways, the analysis of Webattacker gives a really bleak view of the current state of the internet/malware/spam…..
Finally, websense has posted a report verifying an increase in activity. Unfortunately, there may be many botnets growing this weekend.
Oh and YES Internet Explorer 7 RC is immune to the vml vulnerability.
Let’s see…. from the weekend the Hostgater crack was due to a cpanel vulnerability.
Also, Sunbelt reminds us, this is not the only zero-day floating around for IE right now.
And there is a FAQ on the VML 0-day for IE here. (I’m trying to think how many other acronyms I could work into the last sentence…. get the FAQ for the IE VML 0D PDQ here…. oh well..)
Related PostsRelated Posts
- Version 2 of the WMF exploit vs Windows 98 SE Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for......
- The security of remote tech support (ultravnc sc or x11vnc with wrapper script) Well, I've got a nice way of doing "easy" one click (or one cut and paste) light desktop support for windows or linux, one uses ultravnc sc, the other uses x11vnc with a special wrapper script. So, what security flaws are there in this process? Well, for starters, I see......
- Exploit Thursday - this months winner - Powerpoint The SecurityFix reminds us of what usually comes close behind Patch Tuesday.... exploit Wednesday or Thursday and this month, the exploits seemed to start coming out Thursday. There's a new Powerpoint exploit starting to make the rounds right on the heels of Patch day. The main goal is likely to......
- Selecting The Best Seo Firm For Your Business Most of the corporations are making noticeable progress with search engine optimization. The procedure resolves the problem of aiming the top rank place within the standard search engines. A search engine optimization agency is employed by an organization to take complete responsibility of its high quality promotion on the web.......
- Microsoft to Improve User Access Control in Windows 7 I was just reading a Slashdot article about Microsoft improving User Access Control (UAC) in Windows 7. In the cited PC Pro article, Microsoft engineer Ben Fathi says: We've heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to......
- How To Get Free Music Slacker Offers free streaming music to your desktop or hand-held slacker device. Quite a large of music and no annoying ads interspersed between tracks unlike Yahoo!'s Launch player. You can also add your favorite artists to your station and customize to your tastes. Spiralfrog.com Spiralfrog offers free music downloads from......
- Microsoft Internet Explorer patches for unsupported OS versions (Windows 98 and ME)
- WMF vulnerability checker
- WMF patch from Microsoft expected January 10th
- Lotus Notes WMF vulnerability
- Two new Windows exploits in the Wild | Wordpad Text Converter | Internet Explorer 7 XML Parser