Just a curiosity, but today's the 3 month anniversary of the integer overflow vulnerability in VML (vgx.dll). We shouldn't get too caught up on the latest and greatest media-friendly PoC and keep an eye on what's going on in the underground. Sure, MS released the patch for this some time ago and probably quite a few users are protected already, but how about those who haven't applied the patch or have deployed it internally in their networks? Most the time it's these people that cause the majority of the problems for the rest of us, and we're definately still seeing users being infected through this vector.

Couple of days ago I came across a recently released utility to create exploits for the VML vulnerability. The utility, named "MS-07004 V3.0", allows malicious users to easily create exploits using a graphical user interface. The utility creates HTML and JS files that exploit both MDAC and VML vulnerabilities, both of which allow remote attackers to execute arbitrary code.

All you need to do is provide a URL pointing to a critter of your choice. Then simply choose the type of exploit to use to execute the trojan remotely. You can choose between MS06-014, MS07-004 or a combination of both for "redundancy". If you simply choose MS07-004 it will create 3 files, a INDEX.HTM which loads MM.JS, which in turn references 07004.HTM.

Just a friendly reminder to those with responsability over "reminding people to patch their systems", to keep doing so. Users are much more likely to encounter a VML or ANI exploit than having their iPod catch a cold.