[ISN] Exploit Released for Critical PC Hijack Flaw

From: InfoSec News (alerts@private)
Date: Thu Jan 11 2007 - 22:04:10 PST


By Ryan Naraine
January 11, 2007

A fully working exploit for a high-risk vulnerability fixed by Microsoft 
two days ago has been put into limited release, prompting new "patch 
now" warnings from computer security experts.

The exploit, which allows PC takeover attacks on Windows XP SP2, has 
been published to Immunity's partners program, which offers up-to-the 
minute information on new vulnerabilities and exploits to IDS (intrusion 
detection companies) and larger penetrating testing firms.

Immunity, based in Miami Beach, Fla., sells access to the partners 
program for around $40,000, according to founder Dave Aitel.

The company's exploit takes aim at a "critical" bug in the way VML 
(Vector Markup Language) is implemented in Windows. It has been 
successfully tested on Windows XP SP2 and Windows 2000, with default 
installations of Internet Explorer 6.0.

"This is a fully working exploit, [it] will give you full access to do 
anything on the target machine," says Immunity researcher Kostya 

The exploit was created and confirmed in less than three hours after 
Microsoft's Patch Tuesday release on Jan. 9, a fact that clearly 
illustrates just how much the gap has narrowed between patch release and 
full deployment on enterprise networks.

For consumers, Microsoft uses the Automatic Updates mechanism to push 
down updates but, in the enterprise, patches must go through rigorous 
test passes to ensure there are no conflicts with mission-critical 

On average, it could take a business a full month to fully test and 
deploy updates to every desktop, laptop, server or mobile device.

Kortchinsky said the exploit will be refined to try to get code 
execution on Internet Explorer 7.0, the newest version of Microsoft's 
dominant Web browser.

According to the MS07-004 bulletin that covers the VML flaw, IE 7.0 on 
Windows XP and Windows Server 2003 is indeed vulnerable.

Microsoft said the flaw was originally reported through its "responsible 
disclosure" process, but a note in the advisory says it was used in 
zero-day attacks before the Patch Day.

There is no public information available on those zero-day attacks. 
Microsoft did not release a pre-patch advisory to warn of the VML 

Officials in the MSRC (Microsoft Security Response Center) are strongly 
urging Windows users to treat the VML fix and a "high-priority" update.

In an interview with eWEEK, Mark Griesi, security program manager in the 
MSRC, said the risk is high because there is a remote unauthenticated 
attack vector that gives an attacker a way to hijack a vulnerable system 
without any user action.

"That one should be your absolutely highest priority," Griesi declared.

Microsoft also warned users to pay special attention to MS07-003, a 
bulletin that addresses a trio of serious flaws in the Microsoft Outlook 
e-mail application.

One of the Outlook flaws, which carries a "critical" rating, allows an 
attacker to use malformed VEVENT records to launch executable code when 
Outlook handles file parsing routines.

Ominously, a successful attack only requires that an e-mail is sent to 
the target if a specially rigged .ICS (iCal) file is embedded into the 
body of a message.

Workstations and terminal servers are primarily at risk, according to 
Microsoft's advisory.

Microsoft shipped a total of four bulletins in January with patches for 
a least 10 holes in Outlook, Excel and Windows. However, there were no 
fixes for known code execution holes in Microsoft Word that have already 
been targeted in zero-day attacks.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 11 2007 - 22:24:44 PST