CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2013-017

DATE(S) ISSUED:
02/12/2013

SUBJECT:
Vulnerability in Vector Markup Language (VML) Could Allow Remote Code Execution (MS13-010)

OVERVIEW:

A vulnerability has been discovered within Microsoft's web browser, Internet Explorer, that could allow for remote code execution. Specifically, the vulnerability is caused by the way the Vector Markup Language (VML) is processed by Internet Explorer. VML is an XML-based language used to produce and render vector graphics. Successful exploitation could result in an attacker gaining the same privileges of the logged-on user. Depending on the privileges associated with the affected user, an attacker could then install programs,view, change, or delete data; or create accounts with full user rights.

SYSTEM AFFECTED:

  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

A vulnerability has been discovered within Microsoft's Internet Explorer web browser that could allow for remote code execution within the context of the currently logged in user, potentially allowing for full control of a given system. This vulnerability is triggered when specially crafted data attempts to access VML allocated buffers.

Vector Markup Language is an XML-based language used to produce and render vector graphics akin to canvas-based graphic suites. Even though VML use has decreased with the advent of SVG, it is still supported within Internet Explorer.
Exploitation of this vulnerability is possible if a user visits or is directed to a website delivering a specially crafted webpage. Additionally, an attacker could send a user a specially crafted Microsoft Office document that hosts the IE-rendering engine.

Successful exploitation could result in an attacker gaining the save privileges of the logged-on user. Depending on the privileges associated with the affected user, an attacker could then install programs, view, change, or delete data; or create accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user to diminish the effects of the attack.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.

REFERENCES:

Microsoft:

http://technet.microsoft.com/en-us/security/bulletin/ms13-010

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0030