Security firm beats Microsoft to patch VML hole
The patch is unsupported, and ZERT warns that although the patch is tested, it is provided ‘as-is with no guarantee as to fitness for your particular environment. Use them at your own risk or wait for a vendor-supported patch’.
Microsoft’s Scott Deacon, from the Microsoft Security Response Center, said that ‘We think it’s great that there are people out there working to help protect our customers. But … we cannot endorse third party updates.’
He said that the team was working around the clock to have a patch available quickly and was confident that progress had been made that would mean a fix which passes stringent quality and compatibility tests would be available before the next round of security bulletins, due 10 October.
Pressure is mounting on Microsoft to come up with a fix and fast. Security researchers at Sunbelt and Internet Security Systems – the first to discover the vulnerability – have identified numerous websites hosting exploit code. According to Sunbelt, an entire ISP has been hacked and a number of its websites hijacked to host exploits. Sophos too counts Troj/Dloadr-ANO, Troj/Goldun-EC and Troj/Goldun-ED among the threats being used in such attacks.
However, in spite of masses of activity by the virus underground in the wake of the security revelation, there is no evidence as yet of large scale successful attacks on end-users. To be successful, an attacker has to persuade their victim to visit a website that hosts exploit code as it cannot be done automatically.
‘Attacks remain limited,’said Deacon. ‘There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.’
Sunbelt’s Alex Eckelberry added hackers writing exploit code for vulnerabilities is no reason to panic: ‘It’s an exploit. And it works. What else do you expect hackers to do? The world isn’t coming to an end though. Just take your normal precautions.’
Successful attacks however, would potentially render complete control of the target system, including the ability to run code remotely. Websense has a movie of an attack in action.
A workaround for the VML flaw is to simply unregister VGX.DLL and set Outlook to only display email in plain text until an official update becomes available.