Exploits from Day Zero to Day 7

Websense Security Labs has released an alert on the recent VML vulnerability found in IE 5 and higher. The alert mentions that emails are already making their way to mailboxes, containing links to sites that host VML exploit code.

‘…appears to lure users to the site by claiming they have received a Yahoo! Greeting Card. The site downloads and installs an Internet Explorer Browser Helper Object that directs all HTTP posts from forms to a third party, and then collects information on end-users.’ – Websense Security Labs

Websense Security Labs also includes a web page with example screen shots of the site hosting the malicious code. Read more here : http://www.websense.com/securitylabs/alerts/alert.php?AlertID=633
1.    Use a different browser to Internet Explorer (IE). (I never get bored of says this one)
2.    Download the latest patches. Official or not.
3.    Read the advisory Microsoft’s Security advisory (925568) on VML – http://www.microsoft.com/technet/security/advisory/925568.mspx

When going to through Window’s Advisory I notice that it cleverly markets Windows Live OneCare, mentioning that ‘If you are a Windows Live OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.’.

How thoughtful of them to include that in for the Windows Live OneCare user. On the other hand I am not a user of that program and I would like more information about the vulnerability, which is further down. You have to love their marketing schemes.  

If you would like to test your browser then try this test page, provided by ZERT – http://isotf.org/zert/testvml.htm (YES it will crash IE, even IE 7 Beta 2).

They also provide an unofficial VML patch, before anyone else did – http://mwpbu.baylor.edu/zert/

An interesting thing happened after crashing my IE browser, the antivirus picked up the saved webpage, classified it as unsafe (the Bloodhound.Exploit.78) and quarantined it. (Yes, I am using Symantec AntiVirus)

Links Used:

Websense Security Lab, VML Alert –http://www.websense.com/securitylabs/alerts/alert.php?AlertID=633

Microsoft’s Security advisory (925568) on VML – http://www.microsoft.com/technet/security/advisory/925568.mspx

Zeroday Emergency Response Team (ZERT), unofficial VML patch – http://mwpbu.baylor.edu/zert/

ZERT VML test page – http://isotf.org/zert/testvml.htm


Something to talk about: 

In light of all the problems that vulnerabilities and exploits cause, I would like to start a conversation with a simple question: How long are vulnerabilities and hence exploits in the wild before we hear about them?

What happens: Someone finds a vulnerability, someone else has an interest in it and creates an exploit for it. Someone else then probably buys it and uses it. The only time we really hear about it, is when it is too late. The time it has already started to spread.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *