Yellow: MSIE VML exploit spreading

Published: 2006-09-25
Last Updated: 2006-09-25 00:49:40 UTC
by Swa Frantzen (Version: 9)
0 comment(s)


We've refreshed this article for those of you checking in on their Monday morning as a reminder. On Friday 22nd (and for some of our readers past their working day), we have raised our Infocon to Yellow for 24 hours in order to increase the awareness of the problem and call for action. We went back to Green -as intended- after 24 hours.

New versions of exploits continue to be released publicly. We also still get new sites detecting exploits and reporting this to us. There is still reason to act if you haven't done so yet. This exploit is one that's going to stay with us, so you do need protection. Waiting will not make the problem go away.

Reason for Yellow

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites.  The risk of getting hit is increasing significantly.

Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.

Weekends are moreover popular moments in time for the bad guys to build their botnets.


We suggest following actions (do them all: a layered approach will work when one of the measures fails):
  • Update your antivirus software, make sure your vendor has protection for it (*).
  • Unregister the vulnerable dll (**):
regsvr32 /u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

And reboot the machine to make sure all in memory copies are gone as well.
  • Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Reregistering a DLL (which you might want to do after an official patch is released) is done with the same command as unregistration, but without the "/u".


Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and "[at] least  one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains". Those domains pointed visitors to a VML exploit. We're happy to note they join us in recommending "implementing a workaround ASAP" and see the upcoming weekend as a factor in it.


(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
(**): There are a few rare reports of relatively uncommon applications out there that suffer from disabling this DLL, so check your mission critical applications before disabling it. Since VML never made it as a standard, it is not widely used at all. Using it means the web site does not work properly in other browsers.

Swa Frantzen -- Section66
Keywords: 0day msie vml yellow
0 comment(s)

Issues with e-mail notifier

Published: 2006-09-22
Last Updated: 2006-09-22 23:14:45 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Those of you who have signed up for e-mail notifications of infocon changes have noticed you've gotten multiple e-mails saying that infocon changed to yellow then green then yellow then green.....  We're aware of the problem and looking into it.  Right now we are at yellow and will remain so far at least 24 hours.
0 comment(s)

Security Challenges and Games

Published: 2006-09-22
Last Updated: 2006-09-22 20:06:27 UTC
by Ed Skoudis (Version: 2)
0 comment(s)
I'm a big fan of using challenges and games as learning tools, especially in the information security world.  One of the most common of these types of challenges, of course, is a Capture the Flag (CtF) game.  In May 2005, I posted a diary requesting readers to send in links to hacking and security challenges that they had actually played and learned from.  We got a good set of results, but many of those sites have gone down.  In the SANS class I teach, a good list of hacking challenges is one of the most commonly asked questions.

Speaking of that, I once had an attendee in my SANS class that did great throughout the first five days of class.  But, on the last day, he didn't want to play the CtF game that we had been building up to for the whole week.  When I asked him why he wouldn't play, he said, "I don't play games."  He seemed to imply that games were beneath him.  I found that to be very sad... Well-constructed games can help us learn, and have fun at the same time.  I build capture the flag game challenges for the neighborhood kids that they play around my house with my own children.  These games include computer challenges, audio quizzes, simple ciphers (that an 8-year old can crack), video puzzles, and so on.  They are a lot of fun.

So, I'd like to renew my request.  Have you seen and actually played any publicly available (i.e., on the web) security/hacking challenges?  Please submit only ones that you've played and found useful, interesting, or at least fun.

I'll get the ball rolling by mentioning these, and I'll add to the list as I get recommendations from you all day:

- The Defcon CtF Prequalification Challenges from this year, created by Kenshoto.  The folks from 1@stplace, this year's Defcon CtF winning team (congrats, guys... GREAT WORK!), compiled these challenges and posted them on the 'net.  Note that the target servers are off-line, but all of the fantastic file-based challenges are available at this site.  This set of challenges is really wonderful, especially with the mix of technologies brought to bear, and the different mindsets needed to play in the diverse categories.
- Skillz challenges, hosted at  I write these, along with my buddies Mike Poor and Tom Liston.  The latest, Netcat in the Hat, was created by Tom, and you can still enter to win a prize.
- My archive of movie and TV themed challenges (17 in all) on my website.

Reader Aaron mentioned the very nifty project Webgoat from OWASP.  I really like this one a lot.  It provides a simulated e-commerce application that you download and install on your own machine.  Then, you get to attack it, using techniques such as SQL injection, weak session cookies, Cross Site Scripting, etc.  It's a _great_ learning tool for people mastering the art of web app penetration testing.  Thanks, Aaron!

An anonymous reader points us to, where several challenges are available at different skill levels.

PJ mentioned and  Both are classics in this genre, worthy of your attention.

Reader Peter mentions the, which has a very large collection of hacking challenges and sort-of "real-world" scenarios.   Peter cautions, though, "However be warned and stay on the beaten track as you would not want to be firing malicious payload at a 'challenge' site that is redirecting to a .gov site!"  That's good advice.  Always, always, always double check your targets before firing in any such activities, whether hacker challenges or full-blown professional penetration tests!  Also, note that some people may find some of their stuff offensive.  You have been warned!

Beau pointed us to a fabulous collection of games and challenges that the Foundstone guys have pulled together here

Diligent reader Tyler points our our very own Pedro Bueno's malware analysis challenges, which are really fun and well thought-out.  Read them here.

Tyler also mentioned the Honeynet Project's scan of the month challenges.  Reader Brian points out that one of their very best challenges was the Forensics Challenge.   Truly a classic!

Although I was focusing on web-based challenges, several folks have written in with some live challenges that have tickled their fancy at hacker conferences or other venues.  

Chris Compton, a great friend and very bright guy, mentions: "While I'd certainly agree with the merits of web-based games, I also think there's something unique that can be learned from the highly charged, collaborative, competitive environment of in-person games.  I find I not only get good practice, but I also get to shoulder-surf my way to a better understanding of what some of the best 'competitors' are doing these days, and how they're approaching different problems.

Now, inevitably I'm going to plug Hack-or-Halo at Shmoocon as a good event for all skill levels... but I would also encourage the ISC readership to make an effort to attend and play at any or all of these such events/games." 

Well said, Chris.  These can be very worthwhile games.  A list of a few live, hands-on games was compiled by our reader Ronaldo, who mentions:

"Welcome to the DEF CON 13 WarDriving Contest

The 2005 UCSB International Capture The Flag (Giovanni Vigna)


ToorCon 8 - RootWars"

Ronaldo also mentioned OpenInfreno - An Open Source Root War Engine  This is a very cool engine on which to build CtF games.  Nice work, gents!

Dr. Neal Krawetz mentioned the DoD DC3 challenge here.  Although you have to apply to play (which is more than merely registering), this challenge looks quite good.   Dr. Neal says, "Calling DC3 a 'challenge' is an understatement.  Even if you know the solutions to some of the puzzles, it is not easy."  That's for sure, but it is impressive.

--Ed Skoudis
0 comment(s)

Zeroday Emergency Response Team (ZERT)

Published: 2006-09-22
Last Updated: 2006-09-22 15:48:54 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
Several readers have written to us about the newly formed Zeroday Emergency Response Team (ZERT).  It looks like they will endeavor to create, test, and distribute patches (yes, we know about all the controversies of third-party patches... so please don't flood us with rants for or against them).  Still, we find the ZERT concept interesting, and thought you might want to read about it.  You can read more about ZERT and the people running it an article by eWeek here.  Gadi Evron, operations manager for ZERT, points out that they have recently released a third-party patch for the VML vulnerability.
0 comment(s)


Diary Archives