Yep, you guessed it. It’s good ol’ IE again:
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
I guess this proves that if you look at trash, some of it is bound to rub off on you. ;D
According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.
http://blog.washingtonpost.com/securityfix/2006/09/newly_detected_ie_exploit_spel.html
Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.
A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.Customers are encouraged to keep their anti-virus software up to date.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.
http://www.microsoft.com/technet/security/advisory/925568.mspx
So in other words, the malware pushers have at least two clear weeks to exploit this vulnerability, and they could do it by using third party content on legitimate sites, so don’t think that you’re safe if you don’t visit porn sites.
Hi FwF,
There might be an earlier patch out than Oct. 10th next, because as was heard the exploit has been added to the Web Attacker Toolkit.
After patching a rather large number of computers will still be vulnerable because they are not patched, or can’t be (pirated MS versions).
What is so disturbing here, that the issue seemed to have been addressed in an earlier patch, still this one was possible later. So they did half a job on the earlier.
It would be reveiling to see what old holes and bugs are intrinsically left. That would mean these things are fundamentally wrong in the coding, but we cannot establish this unless the code is opened up. All we have is security through obscurity.
polonus
Here’s an emergency work-around to disable VML rendering in Internet Explorer.
I don’t use my I.E. except for Windows Updates. Guess I will just continue using my other browsers for the time being. 
From that same artice that features the temp work-a-round:
“it’s still a good idea to implement the above work-arounds since Internet Explorer is still present on the system.”
Hello bob3160, hello FwF,
Well over 10.000 websites will use the new VML 0-day exploit in the end to infect Internet Explorer users, is the warning of researcher Dan Hubbard. This was not known with certainty until very recently, but there is proof it now that it has become part of the new WebAttacker toolkit, this new VML exploit was added. “We have seen new versions of WebAttacker on certain websites, and could compare them to older vesrions of it”, as Hubbard let us know.
The toolkit is produced by Russian cybercriminals, and is sold for the sum of 20 dollars. Through this toolkit it is possible to easily infect both Internet Explorer as well as Firefox users’machines, whether they have patched their browsers or not.
There are around 10.000 sites to host the WebAttacker toolkit or point towards sites, hosting the toolkit. The sites using the new exploit are aprox. only 20 sites, but Hubbard expects that this number will rapidly grow, when WebAttacker toolkit users are updating their “software”.
polonus
Hi Polonus,
I’ve just been listening to Steve Gibson and Leo Laporte discussing this very issue with Eric Sites from Sunbelt on the latest Security Now podcast:
Hi FwF,
Listened to this interesting podcast, well the first half of it (do not have a Win 2*** machine, so that is why).
A few notes on the side 'though. Well all this because the enormous complexity of the Internet as a super-machine is growing way over our security-heads, really.
In the Netherlands now a big bank does not accept users of Win 98SE or ME as customers to their internet banking, because of their obsolete OS and old browsers are unsafe(r). For this explot they are actually secure (IE before 5.0). Use something that is not used by the mainstream user, and you are reasonably “more secure” than Mr.Average or Mrs. Average are.
This is frightening news to realize, there is a dll functionality out there that cannot be patched for a month or more (hopefully an early patch is out, and the main stream user does not un-register the dll I am sure, so thanks to ultra-new technology the Internet community is set at risk on a grand scale.
Does in-browser security protect you in any sense here, so you are warned not to go to these 20 odd sites (or all that I-frame link to them) through SiteAdvisor, GeoTrust, DrWeb anti-virus link checker???
Can you search through www.scandoo.com and still be infected with this graphical vector script independent malware infectors just to raise money for the malware artists and cybercriminals at an investment of a lousy 20 bucks.
Waiting for the patch from M$ to come, certainly is not the way to stop this. Better be if Microsoft could feel the liability for putting the users at risk through their software with buggy code where it hurts most in their big purses . There are a lot of people that say, if this was to happen, they would have a better urge to make their code safer (link on this standpoint here: http://www.cio.com/blog_view.html?CID=24948 ).
Other info on this bug:
http://www.kb.cert.org/vuls/id/416092
polonus
We’ve also confirmed that Windows XP Service Pack 2 users can enable system-wide enforcement of software-enforced DEP to effectively block the in-the-wild exploits of this vulnerability, while retaining the ability to use the targeted Vector Markup Language (VML) functionality. Microsoft Knowledge Base Article 875352 describes how to change DEP policy using either the System control panel applet or the boot.ini file. Either method requires a system reboot to take effect.
http://blogs.securiteam.com/index.php/archives/624
[A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003
http://support.microsoft.com/kb/875352]
Also worth mentioning is that the current in-the-wild exploits attempt system-wide software installations, as do most zero-day exploits for such vulnerabilities. If your browser is not running under an account with administrative privileges, this will not succeed. The most effective way to do this is for users to log on interactively with accounts running as Limited Users, rather than members of the privileged Power Users or Administrators groups. Michael Howard wrote an MSDN article that describes an alternative way to run high-risk applications like browsers without administrative privileges if you require a privileged interactive logon for some reason.
That’s the application DavidR’s always recommending to us: DropMyRights. 
And a very useful non-intrusive tool it is once you set-up the shortcuts that can limit the harm of any malware that gets past your defences not only 0-day exploits.
And it is nice of him to do so. cf. DropMyRights
The DropMyRights link in my signature tries to simplify the set-up.
The MS Page has some very good images and is worth printing if you are considering it. It use it for any program that connects to the internet, all browsers, email program, mailwasher anti-spam.
Once set-up it is very unusual if you need to use the browser without the dropmyrights shortcut, such as windows update where you currently need administrator rights. I assume that will all have to change for Vista as and when it arrives with its UAC or you will have to enter the administrator password, something I’m not to happy about doing on-line. Don’t I trust MS, about as far as I could through them ;D
And a very useful non-intrusive tool it is once you set-up the shortcuts that can limit the harm of any malware that gets past your defences not only 0-day exploits.
Preaching to the choir here: I’ve been using it for a long time.
Thanks for letting us know about it David! 
I’m aware of that Frank, the comment was more aimed at others who might be viewing the Topic, now or later currently (Read 192 times).
reputable group known as "ZERT" — Zeroday Emergency Response Team — has produced a very nice GUI and Command Line patch utility which repairs the VML buffer overrun design flaw in Microsoft's VGX.DLL file.Since VML is very rarely used on the web, “unregistering” the vulnerable DLL to take it completely out of service is probably the more prudent countermeasure. But if you choose to unregister the DLL you will need to remember to re-register it later. And corporate users may wish to employ ZERT’s CommandLine tool to patch all Windows systems network-wide. (Full source code is included to allow independent verification of the utility’s operation.)
This ZERT page contains the latest information on this alternative:
Additionally, and either way, a simple and benign vulnerability test page is available from their download page. It will (a) crash your IE browser if your system is currently vulnerable, (b) display two red rectangles if your browser has VML enabled (registered) and safely patched, or (c) pop-up a dialog box informing you that your IE is immune to this vulnerability if VGX.DLL is unregistered and you have scripting enabled to allow the pop-up. (If scripting is disabled for untrusted sites you’ll just get a blank page.)
See the details of this testing page here:
http://isotf.org/zert/download.htm
Note that using this patching solution will “re-register” the VGX.DLL file for use by your system. So if you want double protection you could patch the file then follow the instructions below to also unregister it (though doing either is also certainly sufficient).
* Microsoft's VML Security Advisory — "Vulnerability in Vector Markup Language Could Allow Remote Code Execution." This advisory provides a general overview of the problem and, fortunately, also provides a robust interim work-around to disable Windows' and IE's VML parsing. This can and should be used until Microsoft has repaired the buffer overrun in the VGX.DLL VML parser that is being actively exploited on the Internet. * How to protect your system: As detailed in Microsoft's VML security advisory (see link above), you can quickly, easily, and safely protect your system from possible VML exploitation by "unregistering" the defective DLL. The system will no longer be able to render web-based vector markup language graphics, but you won't notice any difference since few sites use VML for benign purposes. Simply copy this command from this page (highlight the entire line then type Ctrl-C to Copy it into the clipboard), then open the "Run..." dialog by pressing your system's Start button and choosing "Run..." Press "Backspace" to remove anything that might already be in the "Open" field, then type "Ctrl-V" to paste the command into the field. Press "OK" to execute the command and you should receive a dialog confirming that the VGX.DLL file has been "unregistered" ... regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" Please tell your family and friends and the word. Since this newly discovered Windows VML defect is being actively exploited by thousands of web sites to install malware, and since viewing malicious eMail with many versions of Outlook will also cause this to occur, EVERY Windows user is a potential victim. Please help people to protect themselves. * How to "re-register" the VGX.DLL: Once Microsoft has repaired this defect, which should happen no later than the second Tuesday in October (Oct. 10th) — and after you have applied those October security updates — you should re-register the repaired VGX.DLL file by repeating the steps above, but using a command without the "-u" argument, as follows: regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" At that time, please also remind anyone you may have helped to protect themselves through un-registering the DLL to re-register it AFTER they have updated their system with the current October patches.</blockquote>
A video of the exploit in action.
http://www.websense.com/securitylabs/blog/blog.php?BlogID=82
The interesting thing is that nothing seems to happen: the attack occurs “behind the scenes”.
Interestingly, the site is not a “porn” site: the exploit has spread to legitimate looking sites. Websense has some examples here:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632
The URL’s are obscured but not hard to find, so head the warning:
DO NOT VISIT THESE SITES. YOU WILL BE COMPROMISED.:o
According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.
As predicted, this now seems to have happened:
Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages.
http://news.netcraft.com/archives/2006/09/22/hacked_hostgator_sites_distribute_ie_exploit.html
Microsoft are playing down the problem, but uming and ahing about bringing out a patch before October 10th:
Microsoft's security team said Friday afternoon that it may release a patch for the VML exploit before its next scheduled update on Oct. 10. "Attacks remain limited," Microsoft's Scott Deacon wrote on the Security Response blog. "There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.“Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability,” Deacon added. “We’ve made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment.”
(Same link)
Please note that the universal application of the DEP feature as described earlier in the thread may result in some legitimate programs failing to function correctly.
In SP2, the feature is not applied by default, probably for this reason. Anybody applying it as protection against the VML exploit needs to bear in mind that it may cause problems.
I applied the DEP feature on my computer (software only, as I have an older chip) and soon after I got this message while running Ad-Aware: