netdef (netdef) wrote,

VML Vulnerability, workarounds and a test

Many of you may have heard about a new Zero Day Vulnerability that is being exploited on a large scale around the Internet. Fully patched users of Windows 2000 SP4, Windows XP SP1 and SP2 and both versions of Windows 2003 are exposed to the VML flaw. Infections are rising rapidly - you are at risk if you surf the web.

Yesterday I even found a "trusted" page that was serving ad banners that infected victims' computers by this method. (No link will be provided.)

Microsoft has announced they intend to provide a patch on October 10th, with a slight chance they may release it earlier - but no promises.

VML is not used widely on the Internet yet, with the notable exception of a very few graphically advanced web sites, the bad guys and Google Maps. Regarding Google, if you disable VML it will revert to normal graphic overlays if you bring up a map, so disabling VML will not block your use of their map service.

There are a few workarounds listed on Microsoft's security bulletin. The one I recommend from their bulletin seems to cover all the vectors perfectly. It involves unregistering the VML shared library. To deploy this workaround, click Start, select the Run box, and copy the following into the Open field and click OK. You should see a message appear that says the unregister succeeded.

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Using this work-around will cause sites that depend solely on VML to fail. Later, when the patch from Microsoft is released, you can reverse the workaround (do it before you apply the upcoming patch) by typing into the same run window the following similar command (note the absence of the "-u" in the string.)

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Other workarounds involve disabling JavaScript and ActiveX scripting, but doing that really messes up your web experience for many sites, much more so than simply disabling VML.

And finally there is an excellent third party patch available from Zert that leaves VML functional but closes the vulnerability. On that same page is a link that tests your browser to see if it's vulnerable or not. Use at your own risk, as Microsoft does not endorse and does not recommend it's use. In spite of that, I am now using this 3rd party patch and so far I highly recommend it for home and small office users. Don't unregister the VML DLL as described above if you decide to use this patch. Also, you should rollback this fix (method provided with the patch download) before patching to Microsoft's official critical update for the issue - when it's finally released.

Tags: exploits, security

  • Hackers targeting your home LAN router / firewall

    This applies to any platform that runs Java, be it Mac, PC Windows or PC Linux. This also applies to any browser that supports Javascript, including…

  • Craplets: a new term is coined

    Craplets! What a great word to describe a very dirty side of the PC retail industry. ' "We call them craplets," the official said. The term is a…

  • Wi-Fi update for Windows XP SP2

    Remember that Wi-Fi hack demo at the Blackhat conference a couple of months ago? Quietly tonight, Microsoft released a really major update to help…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded