Tuesday, September 19, 2006

Microsoft Security Advisory 925568 Released

Microsoft has issued Security Advisory 925568 in which a vulnerability in vector markup language could allow remote code execution. As reported at the Microsoft Security Center Blog:

". . . this exploit code could allow an attacker to execute arbitrary code on the user's system. We also want you to know that we’re aware that this vulnerability is being actively exploited. Thus far the attacks appear targeted and very limited. We’ve actually been working on an update that addresses this vulnerability and our goal is to have it ready for the October release, or before if we see widespread attacks."
========================================
Summary
========================================

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML). Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

========================================
Mitigating Factors
========================================

• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• In an e-mail based attack of this exploit, customers who read e-mail in plain text are mitigated from this vulnerability, instead users would have to click on a link that would take them to a malicious Web site, or open an attachment to be at risk from this vulnerability.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because Binary and Script Behaviors are disabled by default.


========================================
Additional Resources:
========================================

• Microsoft released Security Advisory 925568 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/925568.mspx

• Microsoft Knowledgebase Article 925568 - Microsoft Security Advisory: Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://support.microsoft.com/kb/925568

• MSRC Blog:
http://blogs.technet.com/msrc/
Note: check the MSRC Blog periodically as new information may appear there.

No comments: