NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is
intended for State government entities. The information may or may not be applicable to the
general public and accordingly, the State does not warrant its use for any specific purposes.

OCS ADVISORY NUMBER:
2013-015

DATE(S) ISSUED:
02/12/2013

SUBJECT:
Vulnerability in Vector Markup Language (VML) Could Allow Remote Code Execution (MS13-010)

OVERVIEW:

Vulnerability has been discovered within Microsoft's web browser, Internet Explorer, which could allow for remote code execution. The vulnerability is caused by the way the Vector Markup Language (VML) is processed by Internet Explorer. VML is an XML-based language used to produce and render vector graphics. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the affected user, an attacker could then install programs, view, change, or delete data; or create accounts with full user rights.

SYSTEMS AFFECTED:

  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Vulnerability has been discovered within Microsoft's Internet Explorer web browser which could allow for remote code execution within the context of the currently logged in user, potentially allowing for full control of a given system. This vulnerability is triggered when specially crafted data attempts to access VML allocated buffers.

Vector Markup Language is an XML-based language used to produce and render vector graphics akin to canvas-based graphic suites. Even though VML use has decreased with the advent of SVG, it is still supported within Internet Explorer.

Exploitation of this vulnerability is possible if a user visits or is directed to a website delivering a specially crafted webpage. Additionally, an attacker could send a user a specially crafted Microsoft Office document that hosts the IE-rendering engine.  Successful exploitation could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the affected user, an attacker could then install programs, view, change, or delete data; or create accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft immediately after appropriate testing.
  • Run all software as a non-privileged user to diminish the effects of the attack.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
  • Remind users not to open e-mail attachments from unknown users or suspicious e-mail from trusted sources.

REFERENCES:
Microsoft
http://technet.microsoft.com/en-us/security/bulletin/ms13-010

CVE
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0030