SANS threat level back to green after yellow weekend caused by VML attacks

SANS Institute's Infocon threat level has returned to green after being raised to yellow for 24 hours starting Friday as a way to raise awareness over the attacks.

"New versions of exploits continue to be released publicly," Swa Frantzen, a researcher posting on the SANS Internet Storm Center website, said today. "We also still get new sites detecting exploits and reporting this to us. There is still reason to act if you haven't done so yet. This exploit is one that's going to stay with us, so you do need protection. Waiting will not make the problem go away."

Meanwhile, a group of engineers have released a third-party fix designed to stop vector markup language (VML) attacks aimed at exploiting Microsoft's latest unpatched zero-day flaw.

The Zeroday Emergency Response Team (ZERT) said on its website that the group's purpose is not to "crack products, but rather to uncrack them by averting security vulnerabilities in them before they can be widely exploited."

A Microsoft spokesman said last week the Redmond, Wash. software giant is planning an Oct. 10 patch release, possibly sooner if necessary.

Late last week, researchers at VeriSign iDefense warned of increased attacks attempting to exploit the flaw, which can allow for remote code execution. The vulnerability is related to a buffer overflow problem that exists in Internet Explorer's VML, a component of extensible markup language (XML) used to produce vector graphics.

The non-vendor fix from ZERT is reminiscent of the Windows metafile third-party patch delivered in January by software developer Ilfak Guilfanov, who is part of ZERT, Kaspersky Lab's Konstantin Kornakov said today on the company's Viruslist website.

"…Even if third-party patches are not tested as thoroughly, they have one significant advantage - speed of release," Kornakov said. "Microsoft has been reluctant to change its traditional monthly update cycle, but attackers are now exploiting the window of opportunity left by its scheduled nature, releasing exploit code and starting attacks immediately after the monthly update is released."

Microsoft security experts, meanwhile, have denied the immediate widespread risk of the VML flaw, saying attacks remained limited in postings on the Microsoft Security Response Center blog. Regardless, the company said it has been "working non-stop on an update."

But in a day where zero-day flaws are becoming the norm, some have responded.

"It is always a good idea to wait for a vendor-supplied patch and apply it as soon as possible, but there will be times when an ad-hoc group such as ours can release a working patch before a vendor can release their solution," ZERT said on its website.

Click here to email reporter Dan Kaplan.

Sign up to our newsletters