Friday, September 29, 2006

Windows Shell Vulnerability

Vulnerability in the Windows Shell could allow remote code execution.

The vector is Microsoft's WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by the Web View ActiveX control.

Details and workarounds at

Public release of exploit code:

I would expect that with the public release of the vulnerability details and sample exploit code, we will see rising attacks on this over the coming weekend. It's recommended that people comfortable with editing the Registry go to that first Microsoft link and use the first work around (set the kill bit on the Active X control).

Tuesday, September 26, 2006

VML Vulnerability: Official fix released today

Microsoft has quietly released a patch for the VML exploit today. Get it via their update service at or wait for your automatic updates to notice it . . . personally I would not wait.

If you previously used any of the mitigating workarounds for this exploitable bug, make sure you reverse or rollback that workaround before applying the official patch.

Saturday, September 23, 2006

Friday, September 22, 2006

VML Vulnerability, workarounds and a test

Many of you may have heard about a new Zero Day Vulnerability that is being exploited on a large scale around the Internet. Fully patched users of Windows 2000 SP4, Windows XP SP1 and SP2 and both versions of Windows 2003 are exposed to the VML flaw. Infections are rising rapidly - you are at risk if you surf the web.

Yesterday I even found a "trusted" page that was serving ad banners that infected victims' computers by this method. (No link will be provided.)

Microsoft has announced they intend to provide a patch on October 10th, with a slight chance they may release it earlier - but no promises.

VML is not used widely on the Internet yet, with the notable exception of a very few graphically advanced web sites, the bad guys and Google Maps. Regarding Google, if you disable VML it will revert to normal graphic overlays if you bring up a map, so disabling VML will not block your use of their map service.

There are a few workarounds listed on Microsoft's security bulletin. The one I recommend from their bulletin seems to cover all the vectors perfectly. It involves unregistering the VML shared library. To deploy this workaround, click Start, select the Run box, and copy the following into the Open field and click OK. You should see a message appear that says the unregister succeeded.

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Using this work-around will cause sites that depend solely on VML to fail. Later, when the patch from Microsoft is released, you can reverse the workaround (do it before you apply the upcoming patch) by typing into the same run window the following similar command (note the absence of the "-u" in the string.)

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Other workarounds involve disabling JavaScript and ActiveX scripting, but doing that really messes up your web experience for many sites, much more so than simply disabling VML.

And finally there is an excellent third party patch available from Zert that leaves VML functional but closes the vulnerability. On that same page is a link that tests your browser to see if it's vulnerable or not. Use at your own risk, as Microsoft does not endorse and does not recommend it's use. In spite of that, I am now using this 3rd party patch and so far I highly recommend it for home and small office users. Don't unregister the VML DLL as described above if you decide to use this patch. Also, you should rollback this fix (method provided with the patch download) before patching to Microsoft's official critical update for the issue - when it's finally released.

Wednesday, September 6, 2006

Back in town

Left 9 days ago for a conferance and got caught in some serious stormy weather, delayed flights, the whole deal.


Sooooo much stuff on the security front happened and is happening. Once I get unpacked and cleaned up will start posting again.