CRITICAL – Buffer overflow in VML used by IE and Outlook

Print Friendly, PDF & Email

Summary

Threat Level: Critical Zero-Day Vulnerability
This threat is currently active and spreading in the wild. Most Windows-based computers, even if fully up-to-date with all the official Microsoft patches, are vulnerable right now unless certain actions are taken to protect yourself (see below).

What it does: Various websites, including advertising sites that generate advertisements appearing on trusted websites, become infected. These sites use a specific type of attack to slip through your computer’s security, leaving a big hole for your computer to be further attacked. Since some versions of Outlook and Outlook Express use Internet Explorer to display some types of e-mail, you can become infected just by displaying infected e-mails you receive.

What stops it: You can configure certain settings on your computer that will make it so the malicious software cannot run on your computer. Most of Microsoft’s workarounds may cause a few legitimate websites to incorrectly display within Internet Explorer. An unofficial workaround does not cause that problem, but it only works for people using Windows XP with Service Pack 2. An official patch is scheduled to eliminate the problem in a few weeks; an unofficial patch is available now. A good, up-to-date antivirus software package should also detect the malicious software; however, it is a good idea to check that no viruses have disabled your antivirus software before relying upon it to protect you.

Affected Software (as reported by Microsoft):

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 and Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition
  • Microsoft Windows Server 2003 x64 Edition

Additional affected software (as reported by Sunbelt):

  • Outlook 2007 – 12.0.417.1006: Can view VML but apparently not vulnerable.
  • Outlook 2003 11.8010.8036 SP2: vulnerable
  • Outlook 2003 11.6568.6568 SP2: unknown (not tested)
  • Outlook 2003 11.5608.5606: not vulnerable
  • Outlook 2003 11.5608.8028: not vulnerable
  • Outlook 2002: not vulnerable
  • Outlook 2000: not vulnerable

Official patch/security update: None at this time. According to Microsoft:

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

How to Protect Yourself

Until Microsoft releases an official patch (scheduled for Tuesday, October 10, 2006), you really can’t “fix” this flaw in your computer. You can apply an unofficial patch (which should work until Microsoft releases theirs, but Microsoft won’t help you if the patch messes up your system), you can enact some workarounds that stop the problem before it can harm your system, or perhaps do both.

Unofficial Workaround

In addition to the workarounds from Microsoft mentioned below, SecuriTeam has discovered that Windows XP users with Service Pack 2 installed have another option (and it’s good for blocking many other types of attacks, so it seems like a good idea!). Simply enable system-wide enforcement of software-enforced Data Execution Prevention (DEP) and make sure Internet Explorer is not exempted. It’s easier to do than to pronounce.

Difficulty: Not Very Difficult
Impact: Microsoft does not list any adverse problems with enabling this feature. In fact, they state “Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.”

The following instructions are based on one of several different ways Microsoft allows you to configure DEP. You must be logged on as an administrator to manually configure DEP on the computer. A restart is required after completing these steps.

  1. Click Start, click Run, type sysdm.cpl, and then click OK.
  2. On the Advanced tab, under Performance, click Settings.
  3. On the Data Execution Prevention tab, click Turn on DEP for all programs and services except those I select
  4. If Internet Explorer, Outlook Express, or Outlook are listed in the box below that option, you should either remove the program(s) from the list (select the program and click the Remove button) or at least make sure the checkbox in front of each program is unchecked.
  5. Click OK two times.
  6. Restart your computer for the changes to take effect.

Once you have protected your system, visit ZERT’s vulnerability test page. NOTE: If your system is vulnerable, your browser will crash. If your browser crashes after following these instructions, carefully re-read the instructions and try again or try a different patch or workaround.

Unofficial Patches

Until Microsoft releases an official patch, an unofficial patch that is not supported by Microsoft is available from the Zeroday Emergency Response Team (“ZERT”). ZERT is a group of highly skilled software and hardware engineers with industry liasons who develop emergency patches for vulnerable systems. They release patches only when they feel the risk of waiting for the vendor (in this case Microsoft) to release an “official” patch is greater than the risk of releasing a patch that may not be quite as polished and fully tested, but blocks the problem. Additionally, there are several links to additional good information about the threat. ZERT’s site is located at: http://isotf.org/zert/

Download the ZERT patch and view the instructions.

Once you have protected your system, visit ZERT’s vulnerability test page. NOTE: If your system is vulnerable, your browser will crash. If your browser crashes after following these instructions, carefully re-read the instructions and try again or try a different patch or workaround.

Official Microsoft Workarounds

See Microsoft’s page under the Suggested Actions headings for updates to the following information.

Un-register Vgx.dll

Difficulty: Not Very Difficult
Impact: Applications that render VML will no longer do so once Vgx.dll has been unregistered. Generally, that should not impact your day-to-day web browsing very much unless a particular favorite site of yours uses VML; most sites do not use it much if at all.

To un-register Vgx.dll, follow these steps:

  1. You must be logged in as the administrator or another account with administrative rights.
  2. Click Start, click Run, type regsvr32 -u "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll", and then click OK.
  3. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
  4. Restart the system

To re-register Vgx.dll (this will make you vulnerable again), follow these steps:

  1. You must be logged in as the administrator or another account with administrative rights.
  2. Click Start, click Run, type regsvr32 "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll", and then click OK.
  3. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
  4. Restart the system

Once you have protected your system, visit ZERT’s vulnerability test page. NOTE: If your system is vulnerable, your browser will crash. If your browser crashes after following these instructions, carefully re-read the instructions and try again or try a different patch or workaround.

Modify the Access Control List on Vgx.dll to be more restrictive

Difficulty: Fairly Advanced (if you do not know what ACL’s are, skip this one)
Impact: Applications and Web sites that render VML may no longer display or function correctly. Generally, that should not impact your day-to-day web browsing very much unless a particular favorite site of yours uses VML; most sites do not use it much if at all.

To modify the Access Control List (ACL) Vgx.dll to be more restrictive, follow these steps:

<li>Click <strong>Start</strong>, click <strong>Run</strong>, type "<code>cmd</code>" (without the quotation marks), and then click <strong>OK</strong>.</li>
<li>Type the following command at a command prompt. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference in case you have to undo this modification:<br />

cacls "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll"

  • Type the following command at a command prompt to deny the ‘everyone’ group access to this file:
    echo y| cacls "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll" /d everyone
  • Close Internet Explorer, and reopen it for the changes to take effect.
  • To undo this change, you will need to modify the ACL back to its original settings as noted in step #2 above.

    Once you have protected your system, visit ZERT’s vulnerability test page. NOTE: If your system is vulnerable, your browser will crash. If your browser crashes after following these instructions, carefully re-read the instructions and try again or try a different patch or workaround.

    Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.

    Difficulty: Not Very Difficult
    Impact: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly. This workaround may impact more websites than the previous two, because more than VML scripts may be disabled, which may cause more sites to not display correctly.

    You can help protect against this vulnerability by changing your settings to disable binary and script behaviors in the Internet and Local intranet security zone. To do this, follow these steps:

    1. In Internet Explorer, click Internet Options on the Tools menu.
    2. Click the Security tab.
    3. Click Internet, and then click Custom Level.
    4. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.
    5. Click Local intranet, and then click Custom Level.
    6. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.
    7. Click OK two times to return to Internet Explorer.

    Once you have protected your system, visit ZERT’s vulnerability test page. NOTE: If your system is vulnerable, your browser will crash. If your browser crashes after following these instructions, carefully re-read the instructions and try again or try a different patch or workaround.

    Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

    Difficulty: A Little Difficult (Requires use of RegEdit, an advanced and potentially dangerous admin tool)
    Impact: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally, (1) the changes are applied to the preview pane and to open messages, (2) pictures become attachments so that they are not lost, and (3) because the message is still stored in Rich Text or HTML format certain aspects of the message may behave unexpectedly.

    Microsoft Outlook 2002 with Office XP SP 1 or later and Microsoft Outlook Express 6 with Internet Explorer 6 SP 1 or later can enable a setting to view most messages in plain text only. Digitally signed e-mail messages and encrypted e-mail messages are not affected by the setting. For information on enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

    Block VML Vulnerability Traffic with ISA Server

    If your organization uses Microsoft ISA Server 2004 or 2006 firewall software, see Microsoft’s article “Learn How Your ISA Server Helps Block VML Vulnerability Traffic“.

    Once you have protected your system, visit ZERT’s vulnerability test page. NOTE: If your system is vulnerable, your browser will crash. If your browser crashes after following these instructions, carefully re-read the instructions and try again or try a different patch or workaround.


    Originally posted by me to my company’s website at Allogro.com.

    Related Posts:

    Leave a Comment