New Windows VML Exploit Commandeers PCs

A company that specializes in creating attacks for penetration testing came up with a working exploit of a critical Microsoft patch within just hours of the fix hitting the street Tuesday. Immunity Inc., a Miami Beach, Fla.-based security and consulting firm, said earlier this week that it had published a working exploit for the VML […]
A company that specializes in creating attacks for penetration testing came up with a working exploit of a critical Microsoft patch within just hours of the fix hitting the street Tuesday.

Immunity Inc., a Miami Beach, Fla.-based security and consulting firm, said earlier this week that it had published a working exploit for the VML (Vector Markup Language) vulnerability within three hours of Microsoft announcing the bug and issuing a patch.

The VML flaw, which was outlined in the MS07-004 security bulletin, affects Windows 2000- and Windows XP-powered PCs running Internet Explorer 5.01, 6.0, and 7. It is similar, researchers have said, to a VML vulnerability that was patched out-of-cycle in September.

Some security researchers put the VML bug at their top of their patch-now lists, and said that because there were active exploits already in circulation, users and enterprises should deploy this fix before any others issued Tuesday. Hackers could use the vulnerability to hijack PCs; all they need do is lure users to a malicious Web site. Simply viewing the malformed page could result in losing control of the PC, analysts have warned.

CRN Windows, Microsoft, VML, Vector Markup Language, Exploit