Two new variations of Proof-of-Concept (PoC) exploit that targets 0-day VML vulnerability have been publicly posted on two sources in web. They both target the same vulnerability as EXPL_EXECOD.Adoes but with some modifications on the way it is being exploited (the value passed to the fill method inside the rect tag). The PoC posted at XSec can cause Remote Code Execution while the PoC posted at Milw0rm can cause Denial of Service as they described.

If you will recall, this was first discovered in the wild by Sunbelt and a number of sites have also been found to be using the exploit to infect unsuspected users. Microsoft has been aware of this security bug since Sunbelt has posted an entry about this and last September 19, Microsoft has published a Security Advisory (925568)that addresses this issue. Microsoft has dubbed the vulnerability as Vulnerability in Vector Markup Language Could Allow Remote Code Execution. Microsoft has also suggested four (4) possible workarounds to protect us from this bug while they are working for the official patch that will be released on October 10, 2006, hopefully.

One of the workarounds that Microsoft has suggested is to unregister Vgx.dll, which is the affected component.

Follow these steps to unregister the dll.

1. Click Start, click Run, type regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”;, and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

However, applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with regsvr32 “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”.

Related Posts:
IE Zero Day + Web Attacker Kit
New IE Zero Day Seen in the wild