Microsoft Rushes Patch for VML Exploit

By Scott M. Fulton, III, BetaNews

September 22, 2006, 10:56 PM

Sophos Labs now rates as “critical” a re-emerging exploit to Microsoft’s Vector Markup Language (VML) library, which Microsoft now says it will try to patch before its original October 10 deadline, announced on Thursday. This comes as the SANS Group raises its InfoCon level officially to “yellow,” “to emphasize the need to consider fixes.”

In the meantime, a group of software engineers called the Zeroday Emergency Response Team (ZERT) has issued what it characterizes as an interim patch for the VML exploit, possibly closing the door to a new series of Trojans.

In so doing, a new group resurrects some old questions: Should consumers trust third parties to patch Windows when Microsoft isn't able to do so just yet? And does implementing a third-party patch make it more difficult for Microsoft - or anyone - to patch Windows in the future?

Only in the information security business can one become both underground and high-profile simultaneously. A story in Friday morning's eWeek characterized ZERT as "a high-profile group of computer security professionals," although the membership list on the group's Web site admits to not listing everyone in the group, because "some ZERT volunteers prefer anonymity."

ZERT only claims its patch addresses the buffer overflow vulnerability, but does not explain exactly what it is the patch is supposed to do. Not even the eWeek story gives a description of the patch, although it does quote one volunteer member of the ZERT group as saying, "Something has to be done about Microsoft's patching cycle."

"ZERT members work together as a team," the group's Web site reads, "to release a non-vendor patch when a so-called '0day' (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both. The purpose of ZERT is not to 'crack' products, but rather to 'uncrack' them by averting security vulnerabilities in them before they can be widely exploited."

The VML patch is the group's first, so it remains to be seen whether the public at large is willing to trust a high-profile group of unknowns to provide them with "something," rather than wait for Microsoft to make good on its pledges to produce anything. ZERT's press liaison did not return BetaNews' request for comment.

"Microsoft is aware of third party mitigations that attempt to block exploitation of vulnerabilities in Microsoft software," a Microsoft spokesperson told BetaNews late Friday afternoon. "While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor.

"Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility," the spokesperson added. "Microsoft cannot provide similar assurance for independent third party security updates or mitigations."

Sophos has noted three Trojans in the wild thus far that utilize the exploit, all of which appear to be delivering a payload that sniffs the infected user's system for passwords. It is apparently not known whether those passwords are then transmitted back to a server through an unmonitored port. One Trojan also attempts the blatant step of deleting the IEXPLORE.EXE file.

Since the exploit is a variation of a vulnerability discovered in 2004, Sophos Anti-virus and other brand-name products will likely detect all three of these Trojans, whether they're delivered via the Web or through non-upgraded versions of Outlook 2003.

However, knowing not everyone protects their systems against viruses so vigorously, Sophos' senior technology consultant Graham Cluley believes, even the least skilled malicious user now perceives the period between now and Microsoft's October 10 deadline as "open season."

"This is now a race against time," Cluley stated on Sophos' Web site Friday. "Even though reports of the exploit are so far limited, companies reliant on Internet Explorer would be wise to follow Microsoft's advice on ways to avoid this particular form of attack as it may be weeks before a patch from Microsoft is available."

If Microsoft is racing against time, you wouldn't know it by the company's public statement today on its Security Response Center blog. "There's been some confusion...that somehow attacks are dramatic and widespread," Microsoft team member Scott Deacon wrote Friday morning.

"We're just not seeing that from our data, and our Microsoft Security Response Alliance partners aren't seeing that at all either. Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability."