Attacks against the vector markup language (VML) flaw in Internet Explorer (IE) intensified Tuesday, as Microsoft...
announced plans to patch the vulnerability Oct. 10 or sooner.
"Microsoft has confirmed new public reports of a vulnerability in the Windows implementation of VML," a company spokesman said via email. "Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. This exploit code could allow an attacker to execute arbitrary code on the user's system."
He said a patch addressing the flaw "is now being finalized through testing to ensure quality and application compatibility" and is scheduled for release Oct. 10 or sooner. Microsoft releases patches the second Tuesday of each month, but has been known to release them out-of-cycle when the threat has been serious enough. The last out-of-cycle fix was for the WMF flaw in January.
Attackers are targeting a buffer overflow caused by how IE handles VML code. Early Wednesday, the Bethesda, Md.-based SANS Internet Storm Center (ISC) warned that attacks are now coming from multiple directions.
Several attacks are originating from a series of pornographic Web sites based in Russia, with the goal of dropping malicious code onto Windows machines to make them part of botnets.
"Since this exploit seems to be rather easy to recreate once there is a sample, there is no end to how and where it can and will be used," Frantzen said. "We'd not be surprised to see it appear soon in more mainstream public sources of exploits."
Microsoft has released an advisory outlining several workarounds users can employ to blunt the threat:
- Unregister Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1;
- Modify the access control list on Vgx.dll to be more restrictive;
- Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable binary and script behaviors in the Internet and local intranet security zone; and
- Read email messages in plain text format to help protect systems from the HTML email attack vector.