New VML exploit found, considered unreliable

Hours after hackers posted public code designed to take advantage of the recently patched Microsoft vector markup language (VML) vulnerability, VeriSign iDefense security researchers discovered a private, in-the-wild exploit attacking the bug.

Users could be affected if they visit a website exploiting the integer overflow vulnerability and if they have not patched their systems with the latest fix, released Jan. 8, said Ken Dunham, director of VeriSign iDefense Rapid Response Team.

But the exploit is not widespread and appears unreliable following a round of tests this morning, Dunham said.

"It doesn't work all the time, even if you have an unpatched machine," he told SCMagazine.com today.

According to a Microsoft bulletin, the vulnerability could permit an attacker to execute remote code and take "complete control of an affected system."

The private exploit discovered by Dunham and his team is not to be confused with public code exploiting the flaw that was posted Tuesday to a popular online forum. A Microsoft spokesperson told SCMagazine.com today that Microsoft was not aware of any customers being affected by either of the codes and that users are protected if patches are installed.

But Dunham said private code is typically more harmful because "someone has the knowledge to deploy it, and you may not have signatures to protect against it."

VML bugs are nothing new to Microsoft users. Last September, the software giant was forced to issue an out-of-cycle fix for a VML vulnerability related to a buffer overflow.

The two flaws, while similar, require separate patches.

"This is a new and distinct VML vulnerability," Dunham said of the latest hole. "You have got to be patched from the latest and greatest to ensure you are not vulnerable to this attack."

But, he admitted, the September VML bug impacted a much wider victim base. At the time, Dunham reported attacks on 45 large company networks, affecting some 10,000 customers.

"Right now, there's nothing like what we saw in September of last year," he said. "It was being deployed much more rapidly."

A Microsoft spokesperson could not be immediately reached for comment today.

Click here to email reporter Dan Kaplan.

Sign up to our newsletters