New Exploit Could Affect Both Office 2007 and IE
An exploit discovered yesterday by security consultancy Sunbelt and verified by Microsoft this afternoon involving the Vector Markup Language (VML) library in Windows could potentially affect not only users of Internet Explorer, but also of the current beta of Office 2007.
Like so many recently discovered vulnerabilities, this one too involves a twist on an old exploit that Microsoft may have thought it patched back in 2004. But this new VML buffer overrun may be of more critical importance now than two years ago, since VML is now a standard component of the Office Open XML format -- the default file format of the next edition of Microsoft Office.
Late yesterday, Sunbelt's vice president for research, Eric Sites, posted screenshots to his company's blog reportedly showing a malicious program failing to be detected by Microsoft's Baseline Security Analyzer, just prior to launching shellcode -- machine code routines invoked through the command prompt -- which Sites described as spyware.
In an interview with the Washington Post's Brian Krebs, Sites stated Sunbelt wasn't entirely certain yet what the alleged spyware would do.
This afternoon, Microsoft confirmed the problem, posting a new security advisory. While the advisory did not specifically list Internet Explorer, it did provide boilerplate text describing a Web-based attack scenario, where theoretically an attack could be launched using this exploit.
But Sunbelt's explanation of the exploit's discovery on one of its virtual systems did not state that Sunbelt knew it originated from Internet Explorer. Late today, Sunbelt's Sites told BetaNews he believed the VML library in question (VGX.DLL) was installed with Internet Explorer 5.0, though he wasn't certain. He said he would investigate the possibility of the Office 2007 beta being involved.
On one of our test systems where the Office 2007 beta is installed, the version of VGX.DLL registered there (6.0.2900.2180) was the same as on a Windows XP Professional SP2 system where only Office 2003 is installed. Word 2003 also uses VML for the current version of WordArt, a drop-in customizable graphics library.
So while VML isn't just for Web pages any more, the most recently trusted -- and patched -- version of the VML library appears to be the one installed with the operating system. This discounts the possibility that a later version of VGX.DLL, perhaps installed by a beta program, overwrote the existing patched version and re-introduced the 2004 vulnerability.
The problem there, however, is that a malware attack that exploits VML could do damage that extends beyond just the browser, but to Office and perhaps other applications as well. Further, it opens the possibility that the Web-based attack scenario posited by Microsoft may not be the only way the library is exploited.
When asked by BetaNews, Sunbelt engineers could not confirm that the malware they detected was derived from a Web-based attack. Although the VML library has no active code elements -- it doesn't execute commands, merely explain how graphics are rendered -- an Office document that does contain active elements could be delivered via e-mail. However, system policies for Outlook or Outlook Express may have to be relaxed. Sunbelt did not comment on that possibility today, probably pending further research.
The consultancy Internet Security Systems issued a report on a e-mail based VML exploit in May 2004. As of today, ISS' database suggests this problem has never been addressed, though it rates the risk level for this problem as "medium."
In its advisory today, Microsoft said it was aware that this newly discovered twist was being actively exploited, and that it has set a milestone date of October 10 to produce a patch. Sunbelt's Eric Sites suggested that users who may be suspicious of VML's behavior can easily disable it using the following command at the prompt: regsvr32 -u "%ProgramFiles%\CommonFiles\Microsoft Shared\VGX\vgx.dll"