Unless you are under a rock you have probably heard about the latest hole in Internet Explorer. This one affects the VML component on a fully patched PC. You can be compromised by either a web page viewed in IE or through an HTML email in Outlook. Rather than re-hash all the reviews and analyses, here are some relevant links.
Sunbelt’s Blog (where I saw it first) sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
Microsoft Bulletin www.microsoft.com/technet/security/advisory/925568.mspx
ISC SANS isc.sans.org/diary.php?storyid=1713
In short, Microsoft says you can do the following to mitigate the threat from this vulnerability:
1. Un-register the vgx.dll
2. Tighten down the ACL’s on vgx.dll
3. Disable Binary and Script behaviors in IE
4. Only read email in Text format in Outlook.
I have thrown together a quick Snort signature to help until this thing is patched.
***WARNING*** This signature will likely block legitimate web sites. It blocks any web pages using the VML schema tags. Use this signature at your own risk.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:”Possible MSIE VML Exploit”; flow:established,from_server; uricontent:”html xmlns:v=”urn:schemas-microsoft-com:vml”"; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html; classtype:misc-attack; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit”; flow:established,from_server; content:”|3c|html xmlns|3a|v=|22|urn|3a|schemas-microsoft-com|3a|vml|22|3e|”; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html; classtype:misc-attack; sid:2003106; rev:1;)
–Chris
Technorati Tags: Internet Explorer, VML, exploit, vulnerability, snort
EDIT: Thanks to Frank Knobbe and Bleeding Snort for fixing a rather obvious mistake in this sig. I have reposted their version which you should use.
Leave a Reply