Third-Party Patch Out For IE's VML Bug

**Brandon Sheley** · 09-24-2006, 09:39 PM

A group of security researchers on Friday posted an unsanctioned patch for the Internet Explorer VML bug, putting more pressure on Microsoft to push its own fix to users before its next scheduled update on Oct. 10.

Composed of at least 20 researchers in the U.S., Russia, Germany, and elsewhere, the Zeroday Emergency Response Team (ZERT) reverse-engineered a fix for the flaw disclosed earlier this week by Sunbelt Software. The fix can be downloaded from the ZERT Web site.

"While ZERT tests these patches, they are not official patches with vendor support and are provided as-is with no guarantee," the group said. "Use them at your own risk or wait for a vendor-supported patch."

Among those listed as ZERT members are Matthew Murphy, who blogs at the SecuriTeam site; Thor Larholm, who works for the Newport Beach, Calif.-based security company PivX Solutions Inc; and Ilfak Guilfanov, a Russian developer best known as the creator of the unsanctioned fix for the WMF vulnerability back in January.

"ZERT members work together as a team to release a non-vendor patch when a so-called '0day' (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both," the group said.

Third-party patches for Microsoft gaffes are rare. The most recent and notable was Guilfanov's fix for a bug in Windows Metafile Format (WMF) image processing that he released several days before Microsoft rushed out its own update.

Pressure on Microsoft to fix the flaw may be mounting, said other security professionals, who have noticed increased attack activity. "VML attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of iDefense's rapid response team, in an e-mail to TechWeb. "At least one Domain Name Registration, E-mail, Web Hosting hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains to redirect users to a hostile VML exploiting site," Dunham continued.

Eric Sites, vice president of research and development at Sunbelt Software, which first reported the vulnerability and exploit earlier this week, also said that attacks were "definitely escalating." In a conversation with a tier 1 support representative at Cox Cable on Friday, Sites said, he was told that the cable operator had several thousand support calls and e-mails backed up, with users reporting a wide variety of complaints, including IE crashes. "That may be a targeted attack," said Sites.

Both Dunham and Sites warned of even larger attacks over the weekend.

"[Users should] implement a workaround ASAP due to imminent global attacks," said Dunham.

"There are a lot more sites using [a VML exploit]," added Sites.

Part of their concern is that the exploit may quickly move to e-mail, with spam-style attacks compromising PCs as soon as the recipient views an infected message in an cPanel preview pane. Symantec, for example, confirmed Friday that a working exploit against Microsoft Outlook has been written and posted by Immunity Inc. for its CANVAS exploit framework.

An e-mailed attack is dangerous because it requires no out-of-the-ordinary user action, said Sites. "If you see a message in the Preview Pane or double default parking homes for sale at click it, a well-crafted exploit will crash Outlook. You won't see any error message." As soon as that happens, the attacker can begin loading a user's PC with adware, spyware, and other malicious code, he added.

Sunbelt's testing has confirmed that Outlook 2003 is vulnerable -- in its most-patched SP2 version at least -- but that earlier editions of the e-mailer, including Outlook 2000 and Outlook 2002, are not at risk. Sunbelt has yet to test Outlook 2003 SP1.

To protect against e-mailed attackers, Outlook users should disable the Preview Pane (in Outlook 2003, select View|Reading Pane|Off) and render all mail in plain text (Tools|Options|Preferences|E-mail Options, then check the "Read all standard mail in plain text" box.).

But installing the ZERT patch may be a risky move, concluded Sites. "The problem is that you'll never know if it works in all situations," he said. "There's a reason why it takes Microsoft time to test a patch."

However, Sites expects that Microsoft will go out-of-cycle with a fix if the situation worsens. "With the e-mail vector possible, I think it'll be maybe another week, maybe less, before Microsoft releases [a patch]."