New Windows VML Exploit Commandeers PCs
Posted: Sat Jan 13, 2007 12:58 pm
Dont forget to get the fix for the fix when it gets fixed.
A company that specializes in creating attacks for penetration testing came up with a working exploit of a critical Microsoft patch within just hours of the fix hitting the street Tuesday.
Immunity Inc., a Miami Beach, Fla.-based security and consulting firm, said earlier this week that it had published a working exploit for the VML (Vector Markup Language) vulnerability within three hours of Microsoft announcing the bug and issuing a patch.
The VML flaw, which was outlined in the MS07-004 security bulletin, affects Windows 2000- and Windows XP-powered PCs running Internet Explorer 5.01, 6.0, and 7. It is similar, researchers have said, to a VML vulnerability that was patched out-of-cycle in September.
Some security researchers put the VML bug at their top of their patch-now lists, and said that because there were active exploits already in circulation, users and enterprises should deploy this fix before any others issued Tuesday. Hackers could use the vulnerability to hijack PCs; all they need do is lure users to a malicious Web site. Simply viewing the malformed page could result in losing control of the PC, analysts have warned.
The phenomenon of a continuously shrinking window of time between the disclosure of a vulnerability and the appearance of a working exploit has become so pervasive that some wags have dubbed the day after Microsoft releases patches as "Exploit Wednesday."