Exploit Released for Critical PC Hijack Flaw
A fully working exploit for a high-risk vulnerability fixed by Microsoft
two days ago has been put into limited release, prompting new "patch
now" warnings from computer security experts.
The exploit, which allows PC takeover attacks on Windows XP SP2, has
been published to Immunity's partners program, which offers up-to-the
minute information on new vulnerabilities and exploits to IDS (intrusion
detection companies) and larger penetrating testing firms.
Immunity, based in Miami Beach, Fla., sells access to the partners
program for around $40,000, according to founder Dave Aitel.
The company's exploit takes aim at a "critical" bug in the way VML
(Vector Markup Language) is implemented in Windows. It has been
successfully tested on Windows XP SP2 and Windows 2000, with default
installations of Internet Explorer 6.0.
"This is a fully working exploit, [it] will give you full access to do
anything on the target machine," says Immunity researcher Kostya
The exploit was created and confirmed in less than three hours after
Microsoft's Patch Tuesday release on Jan. 9, a fact that clearly
illustrates just how much the gap has narrowed between patch release and
full deployment on enterprise networks.
For consumers, Microsoft uses the Automatic Updates mechanism to push
down updates but, in the enterprise, patches must go through rigorous
test passes to ensure there are no conflicts with mission-critical
On average, it could take a business a full month to fully test and
deploy updates to every desktop, laptop, server or mobile device.
Kortchinsky said the exploit will be refined to try to get code
execution on Internet Explorer 7.0, the newest version of Microsoft's
dominant Web browser.
According to the MS07-004 bulletin that covers the VML flaw, IE 7.0 on
Windows XP and Windows Server 2003 is indeed vulnerable.
Microsoft said the flaw was originally reported through its "responsible
disclosure" process, but a note in the advisory says it was used in
zero-day attacks before the Patch Day.
There is no public information available on those zero-day attacks.
Microsoft did not release a pre-patch advisory to warn of the VML
Officials in the MSRC (Microsoft Security Response Center) are strongly
urging Windows users to treat the VML fix and a "high-priority" update.
In an interview with eWEEK, Mark Griesi, security program manager in the
MSRC, said the risk is high because there is a remote unauthenticated
attack vector that gives an attacker a way to hijack a vulnerable system
without any user action.
"That one should be your absolutely highest priority," Griesi declared.
Microsoft also warned users to pay special attention to MS07-003, a
bulletin that addresses a trio of serious flaws in the Microsoft Outlook
One of the Outlook flaws, which carries a "critical" rating, allows an
attacker to use malformed VEVENT records to launch executable code when
Outlook handles file parsing routines.
Ominously, a successful attack only requires that an e-mail is sent to
the target if a specially rigged .ICS (iCal) file is embedded into the
body of a message.
Workstations and terminal servers are primarily at risk, according to
Microsoft shipped a total of four bulletins in January with patches for
a least 10 holes in Outlook, Excel and Windows. However, there were no
fixes for known code execution holes in Microsoft Word that have already
been targeted in zero-day attacks.