Guest

Cisco Security Agent

Cisco Applied Intelligence Response: Identifying and Mitigating Exploitation of the Microsoft Windows VML Arbitrary Code Execution Vulnerability

Document ID: 71712


http://www.cisco.com/warp/public/707/cisco-air-20061004-ms-vml.shtml

Revision 1.0

For Public Release 2006 October 4 1600 UTC (GMT)


Contents

Cisco Response
Cisco Intrusion Prevention System (IPS)
Cisco Security Agent (CSA)
Cisco Security Monitoring, Analysis, and Response System (CS MARS)
Additional Information
Revision History
Cisco Security Procedures
Related Information

Cisco Response

Vulnerability Characteristics

The Microsoft Windows Vector Markup Language (VML) Arbitrary Code Execution vulnerability can be exploited remotely without authentication, and user interaction is necessary. Successful exploitation could allow the attacker to perform remote code execution with the privileges of the user or create a denial of service condition. The threat vector requires that the attacker entice the target user to view the malicious VML code, likely by means of social engineering. Common threat vectors include malicious web pages and malicious web-based e-mail. This vulnerability is designated by CVE ID CVE-2006-4868.

Vulnerability Overview

This document contains information to assist Cisco customers in mitigating attempts to exploit the Microsoft Windows VML arbitrary code execution vulnerability.

Server and desktop computing systems using the following Microsoft Windows operating systems are affected:

  • Windows XP Service Pack 2 or prior
  • Windows XP Professional x64 Edition
  • Windows Server 2003 Service Pack 1 or prior
  • Windows Server 2003 for Itanium-based Systems Service Pack 1 or prior
  • Windows Server 2003 x64 Edition

Server and desktop computing systems using the following Microsoft Windows components are affected:

  • Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
  • Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4

See the Microsoft MS06-055 Bulletin leavingcisco.com for full details.

Mitigation Technique Overview

Cisco devices provide countermeasures for the Microsoft Windows VML Arbitrary Code Execution vulnerability. The most preventive control is provided by the Cisco Security Agent (CSA) host intrusion prevention system software running in protect mode on the end host. CSA provides "Zero-Day" mitigation for all known threat vectors seen to date used by attacks in attempts of exploiting this vulnerability. Detective controls can be performed by the Cisco Intrusion Prevention System (IPS) product suite, which provides identification and protection starting with Signature Update S249 using signatures 5813/0 - 5813/3. Detective controls can also be performed by the Cisco Intrusion Detection System (IDS) product suite, which provides identification and protection starting with Signature Update S250 using signature 5813/0.

Device-Specific Mitigation and Identification

Specific information on mitigation and identification is available for these devices:

Cisco Intrusion Prevention System (IPS)

Mitigation

The Cisco Intrusion Prevention System (IPS) provides detection and threat mitigation for the Microsoft Windows VML Arbitrary Code Execution (MS06-055) leavingcisco.com vulnerability starting with Cisco IPS Signature Update S249 for 5.x devices.

  • Signature Update S249 (released September 20, 2006) - Added signatures 5813/0 - 5813/3
  • Signature Update S250 (released September 21, 2006) - Added signature 5813/4
  • Signature Update S251 (released September 26, 2006) - Modified signatures 5813/1 - 5813/3; Retired signature 5813/4
  • Signature Update S253 (released October 3, 2006) - Modified signature 5813/3

The Cisco Intrusion Detection System (IDS) provides detection and threat mitigation for the Microsoft Windows VML Arbitrary Code Execution (MS06-055) leavingcisco.com vulnerability starting with Cisco IDS Signature Update S250 for 4.x devices.

  • Signature Update S250 (released September 21, 2006) - Added signatures 5813/0

In order to trigger preventative controls, the IPS 5.x meta signature 5813/0 or the IDS 4.x signature 5813/0 will need to be configured to perform a response action. The actions that provide this type of mitigation are most effective when using an IPS device that is deployed in inline mode. Attacks attempting to exploit this vulnerability primarily use malicious web pages or malicious web based e-mails as the threat vector, thus attacks are TCP based and unlikely to be spoofed.

Identification

Cisco IPS 5.x meta signature 5813/0 and Cisco IDS 4.x signature 5813/0 trigger a High severity event upon the detection of an attempt to exploit the Microsoft Windows VML Arbitrary Code Execution. An IPS 5.x device triggered the following event using signature 5813/0 after an exploit attempt of this vulnerability on the target victim at IP address 192.0.2.1.

evIdsAlert: eventId=1142678274372769976 severity=high vendor=Cisco
  originator:
    hostId: sensor5x
    appName: sensorApp
    appInstanceId: 339
  time: 2006/09/28 15:06:01 2006/09/28 09:06:01 CST
  signature: description=Microsoft Internet Explorer Vector Markup Language Vulnerability id=5813 version=S249
    subsigId: 0
    sigDetails: Microsoft Internet Explorer Vector Markup Language Vulnerability
  interfaceGroup:
  vlan: 0
  participants:
    attacker:
      addr: locality=OUT 192.0.2.254
      port: 80
    target:
      addr: locality=IN 192.0.2.1
      port: 1104
  triggerPacket:
  <TriggerPacket removed>
  riskRatingValue: 65
  interface: ge0_0
  protocol: tcp    

Cisco Security Monitoring, Analysis, and Response System (CS MARS) (as shown below) and IPS/IDS Event Viewer (IEV) can be used to monitor for attempted exploitation of this vulnerability. Events produced when signature 5813/0 triggers indicate potential attempts to exploit this vulnerability and should be investigated.

Signature Summary

A number of signatures were defined in Signature Updates S249, S250, S251, and S253. Of these signatures, IPS 5.x customers should monitor for meta signature 5813/0 and IDS 4.x customers should monitor for signature 5813/0. IPS 5.x signatures 5813/1 - 5813/3 are the effective component signatures of meta signature 5813/0 that identify the steps during an attempt of exploiting this vulnerability.

Cisco Security Agent (CSA)

Mitigation

Current supported versions of Cisco Security Agent 4.0.3.x, 4.5.1.x, 5.0.0.x, and 5.1.0.x are effective in stopping all known exploits seen to date, thus providing "Zero-Day" protection at the end host. CSA host intrusion prevention system software effectively stops both the initial buffer overflow attempt and any subsequent steps to exploit the Microsoft Windows VML document arbitrary code execution vulnerability. The subsequent steps can include attempts to write the exploit's executable file into the system32 directory and attempts by Internet Explorer to launch NTVDM.exe.

Note:  These subsequent steps are only evident when running CSA in "Test Mode". When running CSA in "Protect Mode" (which is the recommended operating mode), the initial buffer overflow attempt is prevented and no further actions are executed by the exploit.

Note: For additional information on how CSA prevents exploitation of the MS06-055 vulnerability, please refer to CSA Protects Against IE VML Buffer Overflow.

Identification

As shown in this example, the CSA Management Center (CSA MC) console can be monitored for attempts to exploit this vulnerability.

cisco-air-20061004-ms-vml-01.gif

Cisco Security Monitoring, Analysis, and Response System (CS MARS)

Identification

As depicted in these examples, the CS MARS console can be monitored for attempts to exploit this vulnerability. Using the following query on the CS MARS appliance, events triggered by Signature 5813 will be displayed:

cisco-air-20061004-ms-vml-02.gif

The display shown here is the result of the previous query for IPS events triggered by Signature 5813:

cisco-air-20061004-ms-vml-03.gif

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History

Revision 1.0

2006-October-4

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Related Information



Updated: Oct 04, 2006 Document ID: 71712