Microsoft Internet Explorer VML Code Execution Vulnerability

Discussion in 'other security issues & news' started by ronjor, Sep 19, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Secunia
     
  2. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ridiculous.

    By the way, the group exploiting this in the wild is the same group of the Gromozon rootkit.
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Then until there is a patch, this could be called a Zero-Day Exploit.
     
  5. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    VML 0-day exploit

    Details here
    Workaround here
     
  6. sysdvo

    sysdvo Registered Member

    Joined:
    Sep 14, 2004
    Posts:
    1
    Location:
    in a tree
    Re: Solution: Do not visit untrusted web sites. Here are some more links
    http://www.microsoft.com/technet/security/advisory/925568.mspx
    http://www.kb.cert.org/vuls/id/416092
    http://blogs.securiteam.com/index.php/archives/624

    sec...ry / easy solution until next black tuesday:
    regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

    MOTD:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
    C:\warez\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

    Some fresh ISS sigs to see in the near future: HTML_VML_Overflow,JavaScript_DirectAnimation_Overflow
    and older ones continue
    HTML_IE_Javaprxy_Heap_Corruption,HTTP_IE_ADODB_Stream_SaveToFile,DHTML_Object_Overflow,JavaScript_WScript_Shell_Object, JavaScript_NOOP_Sled,JavaScript_Shellcode_Detected,HTML_JS_Window_Code_Exec etc

    True, this is clear ongoing "0-day" - but then again, so was WMF, and PnP, &
     
    Last edited by a moderator: Sep 22, 2006
  7. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    I have sandboxed my browsers using Sandboxie and tested IE7 against the exploit and it passed.

    Here is a link to test IE to see if your secure or not (warning: you will crash IE if havent secured it)
    http://www.isotf.org/zert/testvml.htm
     
    Last edited: Sep 22, 2006
  8. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Hurray
     

    Attached Files:

  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Even my out of the box IE7 RC1 aced the test also.
     

    Attached Files:

  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yeah! I passed the test :D :shifty:
     

    Attached Files:

  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I got this visiting the webpage :D
     

    Attached Files:

  12. RJ100

    RJ100 Registered Member

    Joined:
    May 22, 2003
    Posts:
    111
    Location:
    Alberta, Canada
  13. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    or this:
     

    Attached Files:

  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  15. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    You may also want to reregister MSHTML.DLL according to this read on BBR DSL forums. I had done the workaround for this MS vulnerability so I reregistered both files. I understand MSHTML.DLL file is related to Windows updating and those that don't reregister it may have future update problems. I do use AT&T DSL Browser, which is a customised IE6, so I will have to wait & see if this causes me any registry Version Vector entry problems. I'm hoping not.

    http://www.broadbandreports.com/forum/remark,16983169~mode=flat
     
Loading...
Thread Status:
Not open for further replies.