<<<
NEWS FROM THE LAB - Wednesday, September 20, 2006
>>>
 

 
VML Exploit - Internet Explorer Posted by Stefan @ 09:09 GMT

Outlook's Default Settings - Restricted Sites

Once again there is a browser vulnerability that allows for the remote execution of code. And the only action necessary to become infected is to view a malicious webpage using Internet Explorer or an HTML formatted e-mail.

It was discovered in the wild by Sunbelt. Microsoft published Microsoft Security Advisory (925568) yesterday regarding the issue. The update is currently scheduled for October 10th - the next regular patch Tuesday.

Like the WMF exploit it is advised to unregister the susceptible dll from the system as a workaround for the vulnerability.

To unregister the dll you should execute from Start, Run:
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

This differs slightly from Microsoft's recommendation - so as to include localized versions of Windows.

The vgx.dll component solely handles Vector Markup Language (VML). VML is a description format for browsers to draw vector graphics. Not too many websites use this format today - but rather display plain images. Also - it's only supported by Internet Explorer. Opera and Firefox implement Scalable Vector Graphics (SVG).

Use this link with IE to see an example of VML. If you have the dll registered, you'll see a clock. Once unregistered, you shouldn't see anything.

Microsoft's Outlook e-mail client is also potentially vulnerable for this exploit. But fortunately e-mail is treated as if from Restricted Sites by default, where Binary and Scripting Behaviors is disabled. By using a web-mail client and Internet Explorer you might still be vulnerable.

Unregistering vxl.dll

We strongly recommend implementation of this workaround immediately.