Microsoft recently patched the VML issue which was causing such a fuss in the security industry. This is one of the few times they have actually done an out of cycle patch. I definately think it was the right thing to do any I think it should happen a little more often.

The day the patch came out Metasploit's HD Moore released a exploit module which preformed about 4 different methods of evasion in an attempt to evade Intrusion Detection Systems and Anti-Virus scanners. It is definately the best exploit out there at the moment for this issue. However, it still uses javascript which mean disabling javascript is still a saving grace. Still one should be aware that javascript is not a necessity when exploiting this issue.

So now on to the topic at hand. VML was definately a 0-day vulnerability but it was just patched which makes it no longer 0-day. So where is the new 0-day? Is it in something different? Is it just as bad as VML?

The newest 0-day exploit comes yet again from HD Moore (good job). This time around we can really start to see that Microsoft has a lot of work to do when it comes to security and the process of patching vulnerabilities. There was an exploit today released for a vulnerability which was disclosed nearly 3 months ago. The issue has gone nearly 3 months unpatched. It was originally thought by many to be just a Denial of Service but it turns out it is really much much more than that. The issue is within the ActiveX object WebViewFolderIcon.

This is only exploitable within Internet Explorer. A good workaround for this issue would be to disable active scripting and also set the killbit for this ActiveX object.

It just goes to show that denial of service vulnerabilities sometimes turn out to be exploitable even though many who have taken a close look say otherwise. The security industry is full of people with varying skills and varying skillsets. Keep this in mind when you listen to all the comments surrounding a security issue.

I can't recall how many times I've heard that some vulnerability is only a denial of service due to such and such a factor. Then I take a look at it and it turns out to be much more than just a denial of service. Very recently a vulnerability was discovered which rendered any denial of service condition exploitable in applications in which a user could sufficiently influence the loading and unloading of libraries resulting in arbitrary code execution (MS06-051). I have always been of the opinion that if you can not state something as a fact don't make any statement at all.