Security specialists around the Internet have issued an alert for a zero-day attack targeting a vulnerability within all service pack versions of Windows 2000, XP and Server 2003.
The yet unpatched security hole is market as critical and exploits the way Microsoft software handles Vector Markup Language (VML). Successful exploitation of the vulnerability would allow an attacker to gain access to the target system with the same privileges as the user and includes the potential to remotely run code. The attack could be launched from a specially crafted HTML page either hosted on a website, or sent via an HTML email.
Microsoft, which was told of the problem 18 September, has not yet released a fix for the security hole and describes the attacks as ‘targeted and very limited’. It acknowledges, however, that ‘the vulnerability is being actively exploited’. Even so, Redmond has no plans to issue a public patch for this until its next round of security bulletins, due out 10 October.
Microsoft is advising customers to turn off the VML component until a patch has been issued, set Outlook to only display text and, for IE 6 with Service Pack 2, disable Binary and Script Behaviors in the Internet and Local Intranet security zone.
“The developers at Microsoft will be spitting feathers about yet another critical security problem being found in their code. What’s worse, this is a flaw that is being exploited by hackers intent on installing malware on the computers of Windows users without any patch existing,” said Graham Cluley, senior technology consultant for Sophos. “This is now a race against time. Even though reports of the exploit are so far limited, companies reliant on Internet Explorer would be wise to follow Microsoft’s advice on ways to avoid this particular form of attack as it may be weeks before a patch from Microsoft is available.”
With no Microsoft plans to release a patch that addresses this vulnerability, hackers now have window of nearly three weeks to play with and try to gain access to vulnerable computers.