Zero Day exploit being used to infect PCs

[DavidR]

I'm aware of that Frank, the comment was more aimed at others who might be viewing the Topic, now or later currently (Read 192 times).

[cyfer]

reputable group known as "ZERT" — Zeroday Emergency Response Team — has produced a very nice GUI and Command Line patch utility which repairs the VML buffer overrun design flaw in Microsoft's VGX.DLL file.

Since VML is very rarely used on the web, "unregistering" the vulnerable DLL to take it completely out of service is probably the more prudent countermeasure. But if you choose to unregister the DLL you will need to remember to re-register it later. And corporate users may wish to employ ZERT's CommandLine tool to patch all Windows systems network-wide. (Full source code is included to allow independent verification of the utility's operation.)

This ZERT page contains the latest information on this alternative:

http://isotf.org/zert/

Additionally, and either way, a simple and benign vulnerability test page is available from their download page. It will (a) crash your IE browser if your system is currently vulnerable, (b) display two red rectangles if your browser has VML enabled (registered) and safely patched, or (c) pop-up a dialog box informing you that your IE is immune to this vulnerability if VGX.DLL is unregistered and you have scripting enabled to allow the pop-up. (If scripting is disabled for untrusted sites you'll just get a blank page.)

See the details of this testing page here:

http://isotf.org/zert/download.htm

Note that using this patching solution will "re-register" the VGX.DLL file for use by your system. So if you want double protection you could patch the file then follow the instructions below to also unregister it (though doing either is also certainly sufficient).

    * Microsoft's VML Security Advisory — "Vulnerability in Vector Markup Language Could Allow Remote Code Execution." This advisory provides a general overview of the problem and, fortunately, also provides a robust interim work-around to disable Windows' and IE's VML parsing. This can and should be used until Microsoft has repaired the buffer overrun in the VGX.DLL VML parser that is being actively exploited on the Internet.
    * How to protect your system:
      As detailed in Microsoft's VML security advisory (see link above), you can quickly, easily, and safely protect your system from possible VML exploitation by "unregistering" the defective DLL. The system will no longer be able to render web-based vector markup language graphics, but you won't notice any difference since few sites use VML for benign purposes.

      Simply copy this command from this page (highlight the entire line then type Ctrl-C to Copy it into the clipboard), then open the "Run..." dialog by pressing your system's Start button and choosing "Run..." Press "Backspace" to remove anything that might already be in the "Open" field, then type "Ctrl-V" to paste the command into the field. Press "OK" to execute the command and you should receive a dialog confirming that the VGX.DLL file has been "unregistered" ...

      regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

      Please tell your family and friends and the word. Since this newly discovered Windows VML defect is being actively exploited by thousands of web sites to install malware, and since viewing malicious eMail with many versions of Outlook will also cause this to occur, EVERY Windows user is a potential victim. Please help people to protect themselves.
    * How to "re-register" the VGX.DLL:
      Once Microsoft has repaired this defect, which should happen no later than the second Tuesday in October (Oct. 10th) — and after you have applied those October security updates — you should re-register the repaired VGX.DLL file by repeating the steps above, but using a command without the "-u" argument, as follows:

      regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

      At that time, please also remind anyone you may have helped to protect themselves through un-registering the DLL to re-register it AFTER they have updated their system with the current October patches.

http://www.grc.com/sn/notes-058.htm

[FreewheelinFrank]

A video of the exploit in action.

http://www.websense.com/securitylabs/blog/blog.php?BlogID=82

The interesting thing is that nothing seems to happen: the attack occurs "behind the scenes".

Interestingly, the site is not a "porn" site: the exploit has spread to legitimate looking sites. Websense has some examples here:

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632

The URL's are obscured but not hard to find, so head the warning:

DO NOT VISIT THESE SITES. YOU WILL BE COMPROMISED.

 

[FreewheelinFrank]

According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.

As predicted, this now seems to have happened:

Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages.

http://news.netcraft.com/archives/2006/09/22/hacked_hostgator_sites_distribute_ie_exploit.html

Microsoft are playing down the problem, but uming and ahing about bringing out a patch before October 10th:

Microsoft's security team said Friday afternoon that it may release a patch for the VML exploit before its next scheduled update on Oct. 10. "Attacks remain limited," Microsoft's Scott Deacon wrote on the Security Response blog. "There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.

"Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability," Deacon added. "We’ve made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment."

(Same link)

[FreewheelinFrank]

Please note that the universal application of the DEP feature as described earlier in the thread may result in some legitimate programs failing to function correctly.

In SP2, the feature is not applied by default, probably for this reason. Anybody applying it as protection against the VML exploit needs to bear in mind that it may cause problems.

I applied the DEP feature on my computer (software only, as I have an older chip) and soon after I got this message while running Ad-Aware:

[..::ReVaN::..]

In SP2, the feature is not applied by default, probably for this reason.

Yes it is but only for essential windows programs and services ...

[FreewheelinFrank]

Yes, I was refering to the universal application of DEP- OptOut and AlwaysOn settings- which are the ones SP2 users need to change to to prevent the VML exploit from working.

[..::ReVaN::..]

OK i see Frank. I thought you meant it wasn't turned on at all in SP2.

I turned DEP on for all software(i don't have hardware DEP also) and i ran a couple scans with Ad-Aware but seems to run just fine here. Infact everything seems to work OK but i will run some more programs and i see if i encounter any problems.

[FreewheelinFrank]

Hopefully it will be a rare problem:

The majority of applications will not encounter a problem with DEP. However, when an application does encounter a problem with DEP, a Data Execution Prevention message is presented to the user, alerting them to the problem.

http://technet2.microsoft.com/WindowsServer/en/library/b0de1052-4101-44c3-a294-4da1bd1ef2271033.mspx?mfr=true

[..::ReVaN::..]

OK thanks for the link

[FreewheelinFrank]

I notice when using the OptOut setting (I tried AlwaysOn before) there is a tick box for Ad-Aware, so I guess the conflict with DEP must be a known issue.



I notice there's also a tick box for Windows Explorer: I wonder if that also will conflict with DEP?

I'll leave it unticked for a while and see what happens. 

[..::ReVaN::..]

Interesting i have none of those programs on the list ... Perhaps they appear there if they conflicted with DEP in the past?

[FreewheelinFrank]

I've never had system wide DEP enabled before! 

[szc]

Not a single box on my end either, and DEP is enabled for all programs on my machine since like forever:

[drhayden1]

Hey SZC....mine has been checked just the opposite since day one on this laptop(turn on DEP for essential Windiows Programs and Services Only)and what is the best way to go-everything runs fine as is and i really hate to change anything