Attacks against the vector markup language (VML) flaw in Internet Explorer (IE) continued to intensify Friday, prompting security organizations to raise their alert status.
Meanwhile, an organization called the Zero-Day Emergency Response Team (ZERT) has released an emergency patch for IT administrators who don't feel comfortable waiting for an official fix from Microsoft. The software giant said Tuesday that it is preparing a patch for release on Oct. 10 or sooner.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) raised its InfoCon level to yellow Friday to "emphasize the need to consider fixes," the organization said in a message on its Web site. Meanwhile, Atlanta, Ga.-based Internet Security Systems Inc. (ISS) raised its AlertCon to level 2.
"If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the Web from home; they might be at high risk)," ISC handler Swa Frantzen wrote on the organization's Web site. "The exploit is widely known, easy to recreate, and used in more and more mainstream Web sites. The risk of getting hit is increasing significantly."
Microsoft acknowledged the threat earlier this week and confirmed it is working to rush out a patch by Oct. 10, the company's next scheduled day for security updates.
"Microsoft has confirmed new public reports of a vulnerability in the Windows implementation of VML," a company spokesman said via email. "Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. This exploit code could allow an attacker to execute arbitrary code on the user's system."
He said a patch addressing the flaw "is now being finalized through testing to ensure quality and application compatibility" and is scheduled for release Oct. 10 or sooner. Microsoft releases patches the second Tuesday of each month, but has been known to release them out-of-cycle when the threat has been serious enough. The last out-of-cycle fix was for the WMF flaw in January.
Several attacks exploiting the VML flaw are originating from a series of pornographic Web sites based in Russia, with the goal of dropping malicious code onto Windows machines to make them part of botnets.
Microsoft has released an advisory outlining several workarounds users can employ to blunt the threat:
- Unregister Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1;
- Modify the access control list on Vgx.dll to be more restrictive;
- Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable binary and script behaviors in the Internet and local intranet security zone; and
- Read email messages in plain text format to help protect systems from the HTML email attack vector.