Alerte VML zero-day vulnerability

This alert is an update to the Windows Vector Markup Language (VML) zero-day vulnerability discussed this morning on our blog:
http://www.websense.com/securitylabs/bl … ?BlogID=80

We have confirmed multiple previously-known WebAttacker sites that are currently exploiting this vulnerability to install malicious software. Since this exploit has been confirmed on multiple sites, we suspect that the WebAttacker toolkit has been updated to include this exploit. We expect to see many of the several thousand WebAttacker sites begin to utilize the exploit, as they update to the latest release of the toolkit.

All sites known to be exploiting this code have been in the Malicious Web Sites category for several months. To address any new sites that appear, Websense has issued a database update via Real-Time Security Updates™ (RTSU) to block the latest version of the WebAttacker toolkit. While we have not discovered the exploit on any non-WebAttacker sites, we are monitoring for the exploit to appear at other locations and expect it will only be a matter of time before additional sites begin to utilize the exploit.

For more information on the WebAttacker toolkit, please refer to one of our previous alerts:
http://www.websense.com/securitylabs/al … lertID=472

Microsoft has released Security Advisory 925568 regarding this issue. There is currently no patch available. http://www.microsoft.com/technet/securi … 25568.mspx

This vulnerability was first reported by SunBelt Software on their blog: http://sunbeltblog.blogspot.com/2006/09 … being.html

INFORMATION PRESSE
Le savoir dire - Sandra Logut & Diane Vinet - Tel +33 (0)1 47 49 69 95 - sandra@le-savoirdire.com

, diane@le-savoirdire.com