January 16, 2007 5:09 PM PST

Attack code out for 'critical' Windows flaw

Related Stories

Microsoft leaves Word zero-day holes unpatched

January 9, 2007

Microsoft rushes out 'critical' fix

September 26, 2006

Porn sites exploit new IE flaw

September 19, 2006
Computer code that exploits a security vulnerability in Windows has been published on the Internet, making it more urgent for users of the operating system to patch.

The attack code exploits a flaw in the way Windows handles Vector Markup Language, or VML, documents, which are used for a type of high-quality graphic on the Web. The bug lies in a Windows component called "vgx.dll" that supports these files.

Microsoft provided a fix for the flaw last week with security bulletin MS07-004. At the time, the company warned that it had already seen limited cyberattacks exploiting the vulnerability. However, attack code hadn't been available publicly. On Tuesday, exploit code was published to a widely-read online security forum.

"Microsoft is aware that detailed exploit code was published on the Internet that may take advantage of the vulnerability addressed by Microsoft security bulletin MS07-004," a company representative said in a statement. "Microsoft encourages all customers to apply the most recent security updates."

Prior to the public posting of the exploit, other code that takes advantage of the flaw had been made available to users of a security testing tool made by Immunity. However, these attack blueprints are private, supplied to people who pay for the tool.

Functionality of the public exploit code appears to be limited, Symantec said in an alert to users of its DeepSight security intelligence service Tuesday. Symantec was unable to get the exploit to work on English language versions of Windows XP and Windows 2000, the company said. Still, the exploit could provide a starting point for other hackers, Symantec said.

"The author has posted the exact location of the flaw, shown in a screen shot from a binary analyzer, increasing the likelihood of other exploits being developed," according to the Symantec alert.

The VML flaw is similar to a bug for which Microsoft rushed out a fix in September after Windows users came under attack. The vulnerability can be exploited by tricking a user into viewing a malicious VML file on a Web site with Internet Explorer.

All recent versions of Windows are vulnerable when all recent versions of IE, including IE 7, are in use, according to Microsoft. The exception is Windows Vista, which is not impacted, the software maker said. Microsoft's patches are distributed via Automatic Updates and on the company's Microsoft Update downloads Web site.

See more CNET content tagged:
Vector Markup Language, exploit, flaw, Symantec Corp., vulnerability

37 comments

Join the conversation!
Add your comment
Another day, another M$ vulnerability...
It was encouraging to see MS Vista was not affected, perhaps Microsoft is actually starting to "get it"? I'll reserve judgment on that for now.

In nature, biodiversity prevents a single virus from wiping out an entire species. Do your part and diversify. Try Open Office, Eudora, Firefox, maybe a complete new operating system if you have a second PC. Otherwise don't complain the next time that all Microsoft machine of yours is polluted with spyware and viruses.
Posted by Microsoft_Facts (109 comments )
Reply Link Flag
No kidding... where's the astroturfers now?
For all the shouting and hoopla over Apple 'flaws' (see also the
ego-masturbation known as "Month of Apple Bugs"), I'm still
posessed of no big motivation to bother with anti-virus, anti-
spyware, anti-anything. I just keep current on my patches
(actually, OSX does that for me), practice basic security, and I'm
all set.

I'm still happy with TextEdit on the Mac (though I use OOo
extensively on my Linux laptop @ work), Thunderbird for all my
mail (and this comes from a guy who does SMTP for a living,
among other things), and while Firefox is great on the Linux
machinery, Safari does everything I need @ home (Safari =
rebuilt Konquerer).

But that's the beauty of OSS and non-MSFT stuff, is biodiversity,
so to speak. As long as open standards are adhered to, it
doesn't matter which browser, mail client, etc. you use :)

/P
Posted by Penguinisto (5042 comments )
Link Flag
Horray for Diversity!
I am one who supports it. Diversity has shown to be benificial to us, the consumers. It gives us more freedom of choice and promotes competition among the providers to improve their products (i.e. firefox prompts IE improvements). As for this vulnerability, I am glad microsoft has released a patch for it already, however there are still others not yet fixed. I am encouraged by the recent trend in exploits found... they are becoming harder and harder to use maliciously. Years ago, it was very easy to do. I give credit to software diversity for prompting this improvement. Whatever software you choose, good for you! That's your decision to make.
Posted by Seaspray0 (9714 comments )
Link Flag
It's all part of Microsoft's Plan
Hmm... launch new Operating System which nobody wants to move to because their existing system works fine (not to mention, their apps and their hardware)...

Generate and/or "release" Windows bugs and flaw attacks that only effect XP and not Vista...

Shout how much more secure Vista is and convince people Microsoft is doing all it can to hold back the floodwaters of attacks, to protect us innocent users! But Microsoft can only hold on for so long... our survival lies in the lifeboats named "Vista".. hurry or you'll be "owned" ...

(or switch to a Mac or Linux, but we won't mention that scenario...)
Posted by dragonbite (452 comments )
Reply Link Flag
Funny Stuff.
I just love reading these comparisons from other posters. All defending one platform or another.

Here's my 1 cent worth of opinions. First off I think in this day and age running a firewall and anti-virus software is a must on all platforms simply because the risk of loosing data stored on your computer is to great for most users whether they realize it or not.

Secondly Apples are great computers and Mac OS X is a great OS, but it's not going to be for everyone. Be thankful we all have a choice even if that choice is decided for us by the applications we want to use.

Thirdly, don't trust computers. They are only as good as the software that runs on them and the hardware that makes them work. Of course the weakest link is still the human being and we defend the honor of operating systems. Got to make you wonder how intelligent we really are.

And lastly, all this arguing over who's got the better turd just mask the stink that has become technology. The fact is that none of these companies have the best interest of the end user in mind. If they did they would all be working together to make applications work on any platform. They would share ideas and technologies. Patents wouldn't be an issue and neither would copyrights. They wouldn't create licenses that block other ways of thinking out. Interoperability wouldn't be a topic at every computer related event or even a selling point on the package.

The fact is that we are all suckers. We all buy into this idea that one thing is better than the other. We all like to make Devils and Gods out of people in the industry. And in the end we still get stuck with the same old hype.
Posted by System Tyrant (1453 comments )
Reply Link Flag
Other OS are less vulnerable cause they are not so popular
why bother to make a virus that can affect 10% of computers in the world if you can make one that can attack 75% , it is simple logic. I have MAC OS X and in my opinion has alot less spyware/virus than windows, so I don't have to worry on having the antivirus all the time. I just have the fiewall of the router and I update my system once in a while and everything is excellent. But in my windows based computers I have to update the antivirus daily have the software firewall on, run antispyware application at least once a week. All these extra applications and processes slow down my computer's performance and decrease my productivity. Still is the price for having compatibility with most software, for me the price was to high so I changed to mac os x. But for many people windows is just fine and they are happy with it. So it depends on what you do.
Posted by arturodiaz148 (7 comments )
Reply Link Flag
The market share being responsible for the amount of attacks arguement
really doesn't hold water.

Because Mac/Linux/BSD are considered a hard targets, there are hackers that would love to brag on taking them down.

They just have not been able to do much damage yet so like the terrorist they move to a softer target aka Windows.
Posted by slim-1 (229 comments )
Link Flag
An Once of Prevention is worth a Pound of cures
This holds true regardless of which operating system you use.

Viruses, spyware, malware, phished sites with trojans lurking on them...

We ALL need the best security we can get.

Good Firewall, Good AntiVirus, Good Anti-Spyware, Good Anti-Trojan, etc.

One can brag all they want... but I would love to see their face when those that claim "I don't need this" or "I'm safe because {fill in the blank} finally get infected with something.

We need to quit bickering about this, that or the other and start shoring up our security defenses... because the bad guys aren't letting up... in fact they're growing by leaps and bounds.

Everybody is vulnerable. However as for HOW vulnerable they are... will depend upon how strong of a security defense they've built up.

Nobody is totally and 100% impenetrable!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.