VML threat remains, security firms warn

The worst may not yet be over for the Vector Markup Language (VML) vulnerability in Microsoft Corp.’s Internet Explorer Web browser.

Several security firms today reported that new, publicly available exploits are becoming available for the flaw — which became public last week — including those directed at Windows XP Service Pack 2 systems and another available through the public-domain Metasploit Project.

Meanwhile, San Diego-based security firm Websense Inc. today issued an alert about mass-mailing lures for Web sites hosting VML exploit code. One example is an e-mail that appears to be a Yahoo greeting card that, once opened, directs users to a site hosting VML attack code. The Websense alert is similar to one issued by the Australian Computer Emergency Response Team last week about a spam e-mail that appeared to come from Commonwealth Bank of Australia and attempted to direct users to Web sites hosting VML exploit code.

In addition, iDefense, a VeriSign Inc. unit, said it has so far confirmed that nearly 2,000 Web domain hosting servers were hijacked last week via a separate zero-day attack and then used to redirect users to Web sites hosting VML exploits. According to Ken Dunham, director of the rapid response team at iDefense, several hundred thousand and possibly up to 3 million Web sites may have been injected with hostile iFrame links that redirected users to remote VML exploit sites.

He said VeriSign had confirmed successful attacks within 45 large networks and more than 10,000 consumer infections in one large network alone. The attacks against the domain hosting servers were launched last Thursday, Dunham said. Hackers appear to have previously broken into these servers using an exploit targeting an unpatched vulnerability in a popular Web-site management tool called cPanel, he said.

“This has not reached a high degree of exploitation yet,” said Dunham. “But we believe the capabilities for the automation or semi-automation of the exploit code is imminent. This is not the Code Red or the Slammer of the Internet, but it has the potential to eclipse the WMF exploit. To date it is following a similar exploitation path.”

Dunham was referring to the Windows Meta File zero-day vulnerability that appeared in January.

Eric Sites, vice president of research and development at Sunbelt Software Inc., first reported the VML vulnerability last week and said that the easy availability of exploit code for SP2 via sites such as xsec.org and milw0rm.com is likely to result in more sites being infected. Expect also to see the same thing happen as more of the 10,000 or so Web sites running a hacker tool kit called WebAttacker get updated with VML exploit code, he said.

WebAttacker is a Russian-made tool kit available for purchase at several Web sites. It offers exploits for a range of vulnerabilities in IE and other software.

Also likely to contribute to the spread of VML exploits is the reported availability of attack code via the Metasploit Project, said Johannes Ullrich, chief technology officer at the Bethesda, Md.-based SANS Internet Storm Center. Metasploit is an open-source project that provides information on vulnerabilities and ways to exploit them.

As a result, it is imperative for companies to take steps to mitigate the threat by disabling the VML function on host systems and updating antivirus functions, he said.

The VML vulnerability is a buffer-overflow flaw that can allow an attacker to take complete control of a vulnerable system. Until now, at least, users need to click on an HTML link for the exploit to work. But security analysts fear that it is only a matter of time before an e-mail exploit becomes available that will be launched without any user interaction. Exploits for the flaw were originally found on a handful of Russian pornography sites, but they have become more widely distributed over the past few days. Microsoft has said that it will release a patch for the flaw as part of its regularly scheduled security updates for October.