Zero-Day VML Vulnerability Impacts IE, Windows

September 19, 2006

The Microsoft Security Response Center has announced the discovery of a zero-day vulnerability in the Windows implementation of Vector Markup Language (VML). The vulnerability impacts all supported versions of Internet Explorer, all supported versions of Microsoft Windows 2003, Windows XP, and Windows 2000, and recent versions of Outlook and Outlook Express.

A successful exploit of the flaw could allow a remote attacker to run arbitrary code (i.e. malicious software) on vulnerable systems, with the same rights and privileges as the currently logged on user.

What is VML?
Vector Markup Language, or VML, is an XML-based language that allows for the creation of graphics via special markup tags included in the HTML code used to create web pages.

How can the exploit occur?
The vulnerability can be exploited by a malicious website. It can also be exploited via a specially-crafted HTML email message. In the latter instance, the exploit would occur when the email message was read or previewed and would not require the recipient to open an attachment or follow a link contained within the email. (Of course, an email containing a link to a booby-trapped website is also a possible attack vector, but it would require the recipient click the link to visit the website).

What are the workarounds?

1. Unregister Vgx.dll:

   Click Start
   Click Run
   Type the following:
   regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
   Click OK

2. Read email in plain text only. This is simply good practice, period. For a discussion of plain text email and guides to configure your mail client, see "Plain Text Email is Safer".
3. For domain admins with dozens, hundreds, or even thousands of machines to protect, Jesper Johansson (co-author of "Protect Your Windows Network") provides security templates that disable and enable vgx.dll (the dll that renders VML). For details, see "Block VML Zero-Day Vuln on a Domain".

Other links: