Microsoft warns against VML threat

Within four days, Redmond released Microsoft Security Advisory 925568, "Vulnerability in Vector Markup Language Could Allow Remote Code Execution"—and updated it twice. In this edition of the IT Locksmith, John McCormick tells you what you need to know about this advisory and clues you in to the various mitigating factors and available workarounds.

Microsoft has released a security advisory detailing a remote code execution threat that attackers are currently exploiting. However, several mitigating factors exist for this threat, and Microsoft has also approved a few workarounds.


Within four days, Redmond released Microsoft Security Advisory 925568, "Vulnerability in Vector Markup Language Could Allow Remote Code Execution"—and updated it twice. The threat relates to a publicly disclosed vulnerability (CVE-2006-4868) that attackers are actively exploiting.

The Vector Markup Language (VML) is an XML-based exchange, editing, and delivery method for high-resolution graphics on the Web. Users can unleash this threat by visiting a malicious Web page or opening an e-mail.

According to the advisory, Microsoft plans to address this remote code execution threat in its October release of security bulletins. However, the advisory also says the software giant may release a patch earlier depending on customer needs.

For now, users of Windows 2000 Service Pack 4, Windows XP SP1, Windows XP SP2, Windows XP Professional x64 Edition, and almost all versions of Windows Server 2003 need to pay particular attention to keeping other security tools, including antivirus programs, updated. In addition, most managers should consider taking advantage of some of the tested workarounds.

There are several mitigating factors. For example, Windows Server 2003 runs Internet Explorer in Restricted mode, which disables some of the affected behaviors by default. This is also true for users of Outlook Express on Windows XP SP2 and Windows Server 2003 SP1.

For a list of all the mitigating factors, read the entire security advisory. To protect yourself further, read e-mail in text mode, and don't visit untrusted Web sites.

Other ways to mitigate the threat include the following Microsoft-approved workarounds:

  • Modify the access control list for Vgx.dll.
  • Remove Vgx.dll from the registry (thus disabling VML display code).
  • Configure IE 6 for Windows XP SP2 to disable suspect behaviors.
  • Block VML traffic with ISA Server.

Final word

This is a real and actively exploited threat. I've seen many reports of very recent increases in attacks via some Internet Explorer vector. While the exact method of attack isn't always clear, I've also seen reports that attacks drop off sharply after users disable Vgx.dll.

On a positive note, I monitor several sites that summarize the latest virus threat alerts from major antivirus vendors, and I don't recall ever seeing such a short list of new threats. However, it's important to point out that Bagle keeps making the lists with new variants.

In addition, OSX/Leap is at the top of the list of several compilations. Symantec has published a brief summary of this threat. While it presents a minor risk, the threat is important because it targets Macintosh OS X—and particularly because it's been around since February but keeps showing up.

OSX/Leap infects OS X 10.4 files and spreads via the iChat IM program. Although this virus will execute on Intel-based Macs, it can't spread from those machines.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox