==================================
Security Watch: VML Bug Imperils IE Users
ARTICLE DATE: 09.25.06
By Larry Seltzer, eWEEK
The Watch
Visit the wrong Web page with your completely patched-up Internet Explorer and your computer belongs to someone else... again. Find out what you can do about it in the Top Threat section.
Who are the big targets of phishing attacks? OK, you know who #1 is, but there's a lot of volatility in the list below that. See the top 30 in the Top Phishing Attacks section.
If you're still running Windows XP SP1 because it's just fine and you have no problems, well, you've got a problem. Find out what it is in the SP1 Support section.
Most phishing attacks are simple affairs, but not this week's. It's got something for everyone. See what we're so excited about in this week's Top Phish.
Many people think of the PDF file as an innocuous, harmless object, but new research shows otherwise. See what damage can be done in the PDF Backdoors section.
Apple fixed some AirPort security problems, and they didn't make anyone give up their water bottle to do it. Find out what the problems are in the AirPort Security section.
VML was the target of a major attack last week. It's only supposed to be about graphics, but the big picture is darker. Find out what VML is inJargon Watch.
DVD-sniffing Labrador Retrievers are the latest industry tool in sniffing out pirated DVDs. This and other high-tech news in the Security Watch Story Feed.
Top Threat: IE Zero-Day VML
Executive Summary
Name: IE Zero-Day VML
Affects: Internet Explorer 5, 6
What it does: For about a week a zero-day attack against fully-patched installations of Internet Explorer has been in use on the Internet, although attacks became much more widespread late last week. The flaw exploited by the now numerous available attacks is in Microsoft's implementation of VML, and is capable of executing arbitrary code on the system. A test page to show you if you're vulnerable to the attack is available through the ZERT, the Zeroday Emergency Response Team.
The attack was first reported by Sunbelt Software on their blog. Microsoft soon acknowledged the attack in an advisory and one of their blogs. They say that they plan to fix it on their October patch day, scheduled for October 10, but may do so earlier if circumstances warrant. As of Friday, Microsoft maintains that "attacks remain limited."
Numerous workarounds and other responses have been developed:
An outside agency, ZERT, has developed a third-party patch.
Unregister the VML software with the following command in either the Start-Run dialog or a command line session:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
In a managed environment, use group policy to implement the "Unregister" tip throughout the network.
Use an alternative browser.
Disable Javascript (although some exploits have been demonstrated even in this configuration).
Use IPS (Intrusion Prevention Software) to block the attack.
