Sunbelt’s Blog (where I saw it first) sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
Microsoft Bulletin www.microsoft.com/technet/security/advisory/925568.mspx
ISC SANS isc.sans.org/diary.php?storyid=1713

In short, Microsoft says you can do the following to mitigate the threat from this vulnerability:
1. Un-register the vgx.dll
2. Tighten down the ACL’s on vgx.dll
3. Disable Binary and Script behaviors in IE
4. Only read email in Text format in Outlook.

I have thrown together a quick Snort signature to help until this thing is patched.

***WARNING*** This signature will likely block legitimate web sites. It blocks any web pages using the VML schema tags. Use this signature at your own risk.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:”Possible MSIE VML Exploit”; flow:established,from_server; uricontent:”html xmlns:v=”urn:schemas-microsoft-com:vml”"; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html; classtype:misc-attack; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit”; flow:established,from_server; content:”|3c|html xmlns|3a|v=|22|urn|3a|schemas-microsoft-com|3a|vml|22|3e|”; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html; classtype:misc-attack; sid:2003106; rev:1;)

–Chris

Technorati Tags: Internet Explorer, VML, exploit, vulnerability, snort

EDIT: Thanks to Frank Knobbe and Bleeding Snort for fixing a rather obvious mistake in this sig. I have reposted their version which you should use.

–Chris

Technorati Tags: Microsoft, vulnerability, exploit, dhcp, ms06-036, Internet Storm Center

As you can see the exploit displays Chinese writing which seems to be a clue to it’s origin. There are several similarities between how this exploit was released and how a 0-Day for Microsoft Word was released in June. Many speculate that the same person(s) are behind both.

Fortunately Symantec (and probably others) have virus definitions for this Trojan. The problem is it could and probably will be a different Trojan next time. Secunia is calling this one Extremely Critical in their write-up. I agree and here are some factors that make this one very bad news.

1. The number of vulnerable systems is very large.
This looks to affect all versions of Microsoft PowerPoint. Microsoft sells somewhere around $10 Billion worth of Office products per year. Folks, that is a lot of applications.

2. Relatively few, if any vulnerabilities with PowerPoint files before.
I did a quick search to see if PowerPoint files have been the entry point for vulnerabilities before and did not see any. This means in general people “trust” that opening a PPT file will not cause them problems.

3. PowerPoint files are almost ubiquitous in the enterprise.
With this being the case IT and Security managers may have to do a lot of tap dancing if they try to block PPT files at the gateway, mail server, etc. I know of one case today where the CEO had to step in and publicly support the blocking of PPT files until a resolution is available.

All these coupled with the usual problems like outdated AV definitions, users running as local admin, no egress filtering on the gateway…..make this a sticky situation.

Should you want to block PPT files and you have Snort (or a Snort-like IPS), here are some Snort signatures that will help. The first one will detect inbound PowerPoint files in an email. The second two will detect PowerPoint files on any TCP port. A big thanks to Steve Reynolds ( sreynolds @ nitrosecurity . com ) from NitroSecurity for providing the signatures. These are not official NitroSecurity signatures, they are ones he wrote.

Although commercial IPS vendors may have signatures to detect the exploit, I have not seen any free Snort signatures that do. I suspect that Bleeding Snort will post them if some become available.

Remember to have your $SMTP_SERVERS variable set correctly and change alert to drop if you want to block them.

****NOTE**** These signatures block ALL PowerPoint attachments. You have been warned.

alert TCP $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:”PowerPoint attachment detected in SMTP’”; content:”Content-Disposition|3a|”; content:”filename=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )

alert TCP $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:”PowerPoint attachment detected in SMTP’”; content:”Content-Type|3a|”; content:”name=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )

alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:”PowerPoint attachment detected’”; content:”Content-Disposition|3a|”; content:”filename=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; ) alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:”PowerPoint attachment detected’”; content:”Content-Type|3a|”; content:”name=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )–Chris

Technorati Tags: PowerPoint, Vulnerability, Snort, Exploit

UPDATE 

Microsoft has released an advisory on this vulnerability here