Microsoft Internet Explorer VML Code Execution Vulnerability

Discussion in 'other security issues & news' started by ronjor, Sep 19, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    Secunia
     
  2. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ridiculous.

    By the way, the group exploiting this in the wild is the same group of the Gromozon rootkit.
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Then until there is a patch, this could be called a Zero-Day Exploit.
     
  5. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    VML 0-day exploit

    Details here
    Workaround here
     
  6. sysdvo

    sysdvo Registered Member

    Joined:
    Sep 14, 2004
    Posts:
    1
    Location:
    in a tree
    Re: Solution: Do not visit untrusted web sites. Here are some more links
    http://www.microsoft.com/technet/security/advisory/925568.mspx
    http://www.kb.cert.org/vuls/id/416092
    http://blogs.securiteam.com/index.php/archives/624

    sec...ry / easy solution until next black tuesday:
    regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

    MOTD:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
    C:\warez\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

    Some fresh ISS sigs to see in the near future: HTML_VML_Overflow,JavaScript_DirectAnimation_Overflow
    and older ones continue
    HTML_IE_Javaprxy_Heap_Corruption,HTTP_IE_ADODB_Stream_SaveToFile,DHTML_Object_Overflow,JavaScript_WScript_Shell_Object, JavaScript_NOOP_Sled,JavaScript_Shellcode_Detected,HTML_JS_Window_Code_Exec etc

    True, this is clear ongoing "0-day" - but then again, so was WMF, and PnP, &
     
    Last edited by a moderator: Sep 22, 2006
  7. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    I have sandboxed my browsers using Sandboxie and tested IE7 against the exploit and it passed.

    Here is a link to test IE to see if your secure or not (warning: you will crash IE if havent secured it)
    http://www.isotf.org/zert/testvml.htm
     
    Last edited: Sep 22, 2006
  8. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Hurray
     

    Attached Files:

  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    Even my out of the box IE7 RC1 aced the test also.
     

    Attached Files:

  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yeah! I passed the test :D :shifty:
     

    Attached Files:

  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I got this visiting the webpage :D
     

    Attached Files:

  12. RJ100

    RJ100 Registered Member

    Joined:
    May 22, 2003
    Posts:
    111
    Location:
    Alberta, Canada
  13. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    or this:
     

    Attached Files:

  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  15. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    You may also want to reregister MSHTML.DLL according to this read on BBR DSL forums. I had done the workaround for this MS vulnerability so I reregistered both files. I understand MSHTML.DLL file is related to Windows updating and those that don't reregister it may have future update problems. I do use AT&T DSL Browser, which is a customised IE6, so I will have to wait & see if this causes me any registry Version Vector entry problems. I'm hoping not.

    http://www.broadbandreports.com/forum/remark,16983169~mode=flat
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.