Windows VML Vulnerability - Frequently Asked Questions (CVE-2006-4868)
==============================================

This Frequently Asked Questions document describes critical zero-day vulnerability in Windows Vector Markup Language graphics implementation. The document describes related malwares as well. There is no official patch for this vulnerability available.

** UPDATE: Fix as Vulnerability in Vector Markup Language Could Allow Remote Code Execution (KB925486), Security Bulletin MS06-055 has been released on 26th Sep.

More details is available at isc.sans.org/diary.php?storyid=1738

Q: What is Windows Vector Markup Language vulnerability?

A: This vulnerability is caused by an error when handling Vector Markup Language tags. This graphic implementation is supported by Microsoft Windows operating system. This 0-day type vulnerability can be exploited with Internet Explorer browser and Outlook e-mail client. Vulnerability is remotely exploitable and enables arbitrary code execution on target workstation.

Q: What are VML language and VML graphics?

A: Vector Markup Language (VML) is XML-based language typically used to draw vector graphics, i.e. VML graphics.

Q: How does the vulnerability mentioned work?

A: The vulnerability is stack-based buffer overflow vulnerability. When locating an overly long fill parameter inside a rect tag on a Web page triggers the buffer overflow state.

The vulnerable component is VML rendering library Vgx.dll (according to vendor “Microsoft Vector Graphics Rendering(VML)”).

Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.

Q: This has been stated as Windows vulnerability, why Internet Explorer and Outlook are affected?

A: Internet Explorer and Outlook use the vulnerable library of Windows operating system (so-called VML component) when rendering Vector Markup Language graphics.

Microsoft Outlook uses Internet Explorer rendering component when showing HTML messages, in turn.

Q: When this vulnerability was found?

A: Vulnerability was publicly reported by Sunbelt Software researcher Adam Thomas on 18th September 2006. Technically the discoverer of the vulnerability is another person, however, because Sunbelt Software R&D discovered malicious VML code on adult Web site and confirmed that visiting the site infected fully patched Windows machine. Sunbelt research unit informed Microsoft security personnel before publishing the information at company weblog.

Q: By which means this vulnerability has been exploited?

A: The most widely used mean of attackers is to locate malicious exploit code to Web pages. When user visits the affected Web page with Internet Explorer a malicious code can be run on the Windows workstation. It has been reported that programs saving keyboard activity (so-called keyloggers), spyware and several Trojan type malware have been located to malicious sites.

Additionally, a large number of sites at web hosting firm HostGator have been hijacked and attackers are redirecting customer’s sites to outside Web pages that use VML exploit since Thursday 21th September, reported Netcraft company on Friday 22th September.

Q: What Windows versions are vulnerable?

A: The following Windows versions have been confirmed as vulnerable:
Windows XP (Professional and Home Edition) Service Pack 1 and Service Pack 2
Windows 2000 (Professional and Server) Service Pack 4
Windows 2003 Server

The following OS’s are vulnerable as well, but they are not supported any more:

Windows 95
Windows 98 and 98SE
Windows Me
Windows NT

Q: What Internet Explorer browser versions are affected?

A: The following Internet Explorer (IE) versions are affected:

Internet Explorer 5.01 Service Pack 4
Internet Explorer 6 Service Pack 1
Internet Explorer 6 installed to Windows XP Service Pack 2

Q: Are all Internet browsers affected in this vulnerability?

A: No. This vulnerability affects only to Internet Explorer. Additionally, other browsers using the rendering component of Internet Explorer, e.g. Avant Browser, are affected.

Q: Is there any differences between Outlook client versions?

A: Yes. Sunbelt Software has tested the following build versions of Microsoft Outlook:

Outlook 2000 - not vulnerable
Outlook 2002 - not vulnerable
Outlook 2003 11.5608.8028 - not vulnerable
Outlook 2003 11.5608.5606 - not vulnerable
Outlook 2003 11.6568.6568 SP2 - information N/A
Outlook 2003 11.8010.8036 SP2 - vulnerable
Outlook 2007 12.0.417.1006 - reportedly can view VML graphics but apparently is not vulnerable

I.e. the latest Outlook 2003 with SP2 has been confirmed as vulnerable.

Q: Is there any technical reference documents about VML language available?

A: The NOTE document of World Wide Web Consortium (W3C) is located at
www.w3.org/TR/NOTE-VML (May 1998).

SHAPE element has been described at MSDN (Microsoft Developer Network) article at address
msdn.microsoft.com/workshop/author/vml/SHAPE/introduction.asp.

Q: Why this vulnerability is related only to Microsoft Internet Explorer (aka MSIE)?

A: Other Internet browsers, like Mozilla Firefox, Netscape and Opera use a different technique known as Scalable Vector Graphics (SVG).

Q: Is there specific test sites for testing VML support available?

A: The following two sites confirmed as trusted are available:

#1. Specific VML test site of ZERT team:

NOTE: =*= This will possibly crash your Internet Explorer bworser: =*=
www.isotf.org/zert/testvml.htm

When visiting this URL with Internet Explorer browser will crash immediately after opening the Web page.

It is possible that a dialog box asking to send error report will be generated too if Error Reporting is enabled. Related module reported is: AppName: iexplore.exe.

If VML support is not recognized the following dialog will be shown:

“Your Internet Explorer is immune to this vulnerability, have a good day!”

#2. Swedish WebFX Web page describing VML technique: webfx.eae.net/dhtml/VMLClock/clockScriptlet.html

This URL will open a page containing vector graphics clock. When visiting this page with Firefox only empty page will open.

Q: What is the state of Macintosh version of Internet Explorer?

A: There is no official information available, but this is only Windows vulnerability, however. This browser version is not supported by Microsoft any more, the support period of Internet Explorer (5) for Mac expired on 31th December, 2005.

Q: Are all language builds of Windows and Internet Explorer vulnerable?

A: Yes, they are. The related library Vgx.dll is being shipped with all Windows language versions. Internet Explorer browser uses this library mentioned when rendering VML graphics.

Q: is this the first time when a security issue in Vgx.dll library has been reported?

A: No. Two years ago, when releasing security bulletin MS04-028 (JPEG processing buffer overflow vulnerability) related to GDI+ Microsoft updated Vgx.dll as part of Internet Explorer 6 SP1 update. On one of the fully patched test machines of FAQ author the timestamp of Vgx.dll is 11th Mar 2004, file version 6.0.2800.1411, i.e. shipped with MS04-028 security update.

Q: Is there any official documents from Microsoft released and where they are located?

A: Yes. The official Microsoft Security Advisory has been released at TechNet Security site on 19th September.

Link to the English language advisory is
www.microsoft.com/technet/security/advisory/925568.mspx

Q: Are there documents of CERT units available?

A: CERT Coordination Center has released its Vulnerability Note alert VU#416092 on 19th September at
www.kb.cert.org/vuls/id/416092.

Summary type Technical Cyber Security Alert TA06-262A with less detail is located at
www.us-cert.gov/cas/techalerts/TA06-262A.html.

Additionally, several national CERT units have released their own alerts.

Q: What is the severity of this vulnerability?

A: Most of security vendors have assigned most critical severity levels and rarely used Extremely Critical type levels for this issue. It is expected that the upcoming Microsoft Security Bulletin has Critical severity level too.

Q: How can I protect my company from the exploitation of this vulnerability?

A: There are three different ways: by un-registering the vulnerable library in operating system, by using an alternative browser or installing a 3rd party patch.

Q: What this library file is and how can I un-register it?

A: Vgx.dll library can be un-register by running the following command using Windows’s Start / Run… command:

Start / Run… / regsvr32 /u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

[without quotation marks]
and pressing ‘OK’ button. If the operation is successful the following dialog box will be shown:

“RegSvr32: DllUnregisterServer in C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll succeeded.”

This message can be accepted by pressing ‘OK’. This message is in English in non-English Windows versions too. It is recommended to reboot the workstation that this change will take effect.

After this operation it is possible to test the support of VML by visiting specific test sites mentioned earlier. When visiting these sites with Internet Explorer browser will not crash (test site #1) and vector graphics clock will not be appeared to the screen (test site #2).

This operation prevents VML graphics from working and it can prevent some Web sites from working correctly.

It is possible to re-register this Windows library again with the following Run… command:

regsvr32 “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”

UPDATE: Microsoft recommends that you undo this operation and possible another workaround listed at Security Bulletin #925568 before installing an official MS06-055 update.

Q: From what address can I download alternative Internet browsers?

A: These can be downloaded from the following URL addresses:

Mozilla Firefox: www.mozilla.com/firefox/
Opera: www.opera.com
Netscape: browser.netscape.com

Q: Where is the so-called third party security patch located?

A: This patch is made by Zeroday Emergency Response Team (ZERT). The project Web site is located at isotf.org/zert/.

Direct link to the download section including installation instructions is isotf.org/zert/download.htm.

NOTE: This patch is no longer publically available for download.

Release Notes document is located at isotf.org/zert/tnotes.htm.

Zip package includes the fix file itself, Readme file and source code. Sunbelt Software has installed this fix company-wide to its workstations in several countries.

Microsoft has stated to wait an official fix of its own.

The ZERT members are widely known persons of security community and security industry. One of the members is Ilfak Guilfanov, who made a 3rd party fix for Windows Metafile vulnerability in December 2005 (so-called WMF case).

After installing this fix it is possible to test the support of VML by visiting specific test sites mentioned earlier. When visiting these sites with Internet Explorer browser will not crash (test site #1) and vector graphics clock will not be appeared to the screen (test site #2) any more.

Q: An official patch from Microsoft is available now. Is it needed to uninstall the ZERT patfh?
A: Yes, ZERT has informed that it is “IMPORTANT to rollback the ZERT patch, before or after the Microsoft patch for it to work”.

Q: It is possible to use both Regsvr32 mean and a fix from ZERT?

A: Yes, this is possible without known problems.

Q: Is the exploit code of this vulnerability publicly available?

A: Yes. The first public exploit code was released at widely known security site on 19th September, i.e. only one day after the vulnerability disclosure date.

The second exploit code tested against Internet Explorer 6.0 SP1 was released on 20th September on security mailing list and on Web page.

Windows XP SP1+IE6 SP1 and Windows 2000 SP4+IE6 SP1 were the tested combinations of the third exploit code released on 21th September.

The fourth code, so-called Heap Spraying based exploit code was released on the weblog of the code author on 22th September. The author informed about upcoming future disclosures on 21th September.

On Sunday 24th September the author reported that code execution on Windows XP SP2 system is successful too. The updated report stated that no additional details will be published before the fix has been released by Microsoft.

UPDATE: On Sunday another heap spraying exploit code was released at widely known security site. The code listing states that the newest code works on all XP versions including SP2 (Service Pack 2).

UPDATE #2: Later on Sunday the author who reported not to publish additional details about SP2 exploitation published details, however, because there was another XP SP2 exploit published already.

One US company providing penetration testing services has released three working exploits via their partner program. These code listings are not publicly available.

Q: Is any user interaction needed when opening malicious Web page?

A: No. Only visiting a malicious Web page with Internet Explorer or opening a malicious HTML message with Outlook triggers the vulnerability.

Q: Is there any visual effects informing about the infection?

A: No. User has no any mean to detect the infection without examining the file system etc.

Q: Are there any changes to file system made by related malware?

A: Yes. The changes depend from the specific malware.

Q: What are the names of malwares exploiting this vulnerability?

A: The following names are in use:
Trojan.Vimalov [Symantec]
Exploit-VMLFill [McAfee]
EXPL_EXECOD.A [Trend Micro]
Troj/Dloadr-ANO, Troj/Goldun-EC, Troj/Goldun-ED [Sophos]
Exploit.HTML.VML.a [F-Secure]
Exploit/VML.A [Panda Software]
Exploit.HTML.VML.a, Exploit.HTML.VML.b [Kaspersky]
JS/Veemyfull!exploit [CA]
JScript/Veemyfull!exploit!Trojan [unknown AV vendor]
Exploit:HTML/Levem.C [Microsoft]

This document will be updated to include new names assigned.

Q: My AV vendor doesn’t list names of these types at their Web pages. How do I know my AV software protects me?

A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet. The best way is to check the situation from your AV vendor.

Q: Is there SNORT rules for this vulnerability available?

A: Yes. Additional details can be obtained at the following address:
www.snort.org/rules/advisories/vrt-rules-2006-09-21.html

It is worth of noticing that SNORT can’t always detect these exploits due to several obfuscating methods used in exploit codes with the help of JavaScript.

Q: Is there Internet Storm Center (ISC) documents available about the issue?

A: Yes, the following Diary entries have been released:

- * VML Update Released

- De-registering vgx.dll in an enterprise
- VML vuln being actively exploited
- Using ISA to help block VML exploit
- VML exploits with OS version detection
- Netcraft Report - HostGator servers exploited via cPanel, allowing redirection & VML exploitation
- Yellow: MSIE VML exploit spreading
- Updated MSIE VML Remote Buffer Overflow Exploit Code Released
- Yet another MSIE 0-day: VML

Q: Does Windows Live Safety Center detect this malware?

A: Yes. According to MSRC Blog posting there is a detection added to Windows Live Safety Center (in Beta phase) if Full Service Scan option is being used.

Q: Is normal Web surfing safe during the next days?

A: It is very difficult to answer yes or no. Because the exploit codes of this vulnerability are publicly available it is possible that the number of malicious sites will be increase in the future. Additionally, malware authors can use these exploit codes to generate and spread new previously unknown malware variants.

UPDATE: New type of attacks (e-postcard sites etc.) have been reported during Monday.

Q: Is it possible to spread malicious code in other formats, e.g. delivered with IM applications, USB sticks etc.?

A: This is not possible, because this vulnerability is exploiting one feature of HTML language.

Q: When the fix to this vulnerability is expected?

A: It is impossible to say the exact information. The next monthly security updates are scheduled to 10th October, 2006. Microsoft has informed that it will release a patch outside of monthly cycle too if situation becomes more serious.

Q: Is there CVE name available for this issue?

A: Common Vulnerabilities and Exposures project has assigned the following CVE name:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4868. Previous CVE name CVE-2006-3866 has been rejected.

Q: Is there CME name to this related malware available?

A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Is there any changes in widely known Internet threat meters of security vendors?

A: Yes. Symantec ThreatCon meter has raised to level 2/4 this week:
www.symantec.com/avcenter/threatcon/learnabout.html

Internet Storm Center InfoCon meter raised to level Yellow on 22th September:
isc.sans.org/infocon.php

ISS X-Force’s AlertCon (Current Internet Threat Level) is at level 2; Increased vigilance:
https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp

Additionally, VML 0-day vulnerability is mentioned as one of the listed threats at FrSIRT Security Threats Watch 24×7 page:
www.frsirt.com/english/threats/

Copyright (c) Juha-Matti Laurio, Finland (UTC +3hrs)

This document can be re-released if source is mentioned.

Link to the most recent version of this document:
http://blogs.securiteam.com/?p=640

Finnish language version of the document:
http://www.networksecurity.fi/vml-ukk.html

Revision History:

1.0 24-09-2006 Initial release
1.1 24-09-2006 Minor fixes, added new ISC Diary reference
1.2 25-09-2006 Added information about the fifth exploit code
1.3 25-09-2006 Added information about fix related to Vgx.dll in MS04-028, minor updates
1.4 26-09-2006 Added several new ISC references
1.5 26-09-2006 Added information about released security update, minor fixes
1.6 27-09-2006 Added information about operations needed before MS06-055 update

Local Finnish time is being used.

Credits:

There was a significant help from the following sources when writing this FAQ document:
SANS Internet Storm Center Diary
Sunbelt Software blog
F-Secure AV research laboratory blog

-

Find security holes before hackers do. Sign up for a Vulnerability Assessment now!