September 20th, 2006

How to defend against VML zero-day IE exploit

Posted by George Ou @ 3:50 am

Categories: Mobile/Wireless, News, Security, Servers

Tags:

On Monday, Sunbelt researcher Adam Thomas discovered a new undocumented zero-day exploit for Internet Explorer that attacks IE’s VML (Vector Markup Language) rendering code and it’s being actively exploited in the wild especially on porn sites.  This is the second zero-day exploit this month for Microsoft Internet Explorer that was released soon after Microsoft’s patch Tuesday yet Microsoft will not commit to a fix until October’s patch Tuesday on the 10th which is nearly three weeks away.  The same thing happened in March of this year when Microsoft refused to provide an out-of-band patch for Internet Explorer until the following patch Tuesday.  This means that users of Microsoft Internet Explorer will be wide open to an attack unless they implement the emergency work-around to disable VML rendering in Internet Explorer.

Like the WMF exploit work-around, users will need to issue a command to disable VML rendering until the official patch comes out.  The commands are:

Disable VML
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

Enable VML
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

To execute these commands, simply hit the "Start" button and click "Run".  Cut-paste the disable VML command in to the line and click ok.  You will get a "RegSvr32" popup notice that says DllUnregisterServer in … succeeded.  Once the patch is available and you’ve applied it, repeat the process with the enable VML command.

IT departments can disable or enable this on an enterprise scale using Active Directory Group Policies and Jesper Johansson has produced these instructions to help you with the Group Policy method (via Sunbelt BLOG via Sandi).  It is highly recommended that IT departments take advantage of these instructions since it isn’t practical to implement the work-around manually on a large number of computers.  This can also be done via login-script technology but that only gets applied when users log in to their computer while connected to the network and may not take affect for a large number of users.  The Group Policy method is refreshed proactively ever 15 minutes or so and all the clients will benefit from it.

Other options include installing Opera or Mozilla Firefox though it’s still a good idea to implement the above work-arounds since Internet Explorer is still present on the system.  Note that Mozilla comes with its own set of vulnerabilities which in the last year was higher than Internet Explorer so you’ll have to patch that code as well.  Opera had critical vulnerabilities too but no where as many as Mozilla Firefox or Internet Explorer.  Even so, Mozilla and Opera vulnerabilities are targeted less often because it’s much easier and fruitful to attack the dominant browser.