Zero-Day Vulnerability Detected in Windows VML

Microsoft on Tuesday confirmed reports of a vulnerability in the Windows implementation of Vector Markup Language (VML), code used to create vector graphics.

It’s the latest in a string of zero-day exploits, which are security flaws that software vendors either do not yet know about or are aware of and are working frantically to fix. The SANS Institute reports that attacks involving these types of flaws are on the rise.

“Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user’s system. We also want you to know that we’re aware that this vulnerability is being actively exploited,” Microsoft wrote in Security Advisory 925568.

The attacks appear to be “targeted and very limited,” Microsoft added. The company assured customers it is working on an update that addresses this vulnerability. The firm aims to have it ready for its Oct. 10 Patch Tuesday release, or before that if widespread attacks are reported.

Yet Another Buffer Overflow

A buffer overflow is to blame for the vulnerability. This occurs when more data is put into a holding area than the buffer can handle. The root cause is a mismatch in processing rates between the production and consumption processes. The problem could either lead to a system crash or a backdoor for hacker access.

“Public exploit code now exists to crash the browser via the VML vulnerability,” iDefense Senior Engineer Ken Dunham told TechNewsWorld. “iDefense has tested this code and was able to quickly modify it to perform execution of code in a test environment.”

The new zero-day attack code is easy to reproduce and offers great potential for widespread Web-based attacks in the near future. In fact, Dunham noted that two additional exploit sites have been confirmed in the wild in the past 24 hours: and

Russian Hackers Attack

Specifically, WebAttacker, a Russian malicious code toolkit, is being used to launch current attacks in the wild, according to Dunham’s research. WebAttacker is an attack tool that has been popularized through the Russian underground this year. It sells for about US$250.

“It is able to quickly generate exploits for multiple Internet Explorer and Firefox vulnerabilities to efficiently launch malicious code in the wild,” Dunham explained. “This attack tool also comes with detailed step-by-step instructions on usage and provides reports back to hackers, such as statistics on which exploits are most successful in malicious code deployments.”

Mitigating the Risk

Fully patched Internet Explorer browsers are vulnerable to attack. Disabling JavaScript and blocking access to known hostile URLs hosting exploit or malicious code related to this exploit will mitigate the risk, however.

iDefense research previously uncovered several domains it suggests blocking, including,, and

Microsoft offers some advice as well. An attacker would have no way to force users to visit these Web sites, the company said. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message.

“In an e-mail-based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability,” Microsoft wrote in its security advisory.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels