Friday, September 29, 2006
The vector is Microsoft's WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by the Web View ActiveX control.
Details and workarounds at http://www.microsoft.com/technet/security/advisory/926043.mspx
Public release of exploit code:
I would expect that with the public release of the vulnerability details and sample exploit code, we will see rising attacks on this over the coming weekend. It's recommended that people comfortable with editing the Registry go to that first Microsoft link and use the first work around (set the kill bit on the Active X control).
Tuesday, September 26, 2006
If you previously used any of the mitigating workarounds for this exploitable bug, make sure you reverse or rollback that workaround before applying the official patch.
Friday, September 22, 2006
Many of you may have heard about a new Zero Day Vulnerability that is being exploited on a large scale around the Internet. Fully patched users of Windows 2000 SP4, Windows XP SP1 and SP2 and both versions of Windows 2003 are exposed to the VML flaw. Infections are rising rapidly - you are at risk if you surf the web.
Yesterday I even found a "trusted" page that was serving ad banners that infected victims' computers by this method. (No link will be provided.)
Microsoft has announced they intend to provide a patch on October 10th, with a slight chance they may release it earlier - but no promises.
VML is not used widely on the Internet yet, with the notable exception of a very few graphically advanced web sites, the bad guys and Google Maps. Regarding Google, if you disable VML it will revert to normal graphic overlays if you bring up a map, so disabling VML will not block your use of their map service.
There are a few workarounds listed on Microsoft's security bulletin. The one I recommend from their bulletin seems to cover all the vectors perfectly. It involves unregistering the VML shared library. To deploy this workaround, click Start, select the Run box, and copy the following into the Open field and click OK. You should see a message appear that says the unregister succeeded.
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
Using this work-around will cause sites that depend solely on VML to fail. Later, when the patch from Microsoft is released, you can reverse the workaround (do it before you apply the upcoming patch) by typing into the same run window the following similar command (note the absence of the "-u" in the string.)
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
And finally there is an excellent third party patch available from Zert that leaves VML functional but closes the vulnerability. On that same page is a link that tests your browser to see if it's vulnerable or not. Use at your own risk, as Microsoft does not endorse and does not recommend it's use. In spite of that, I am now using this 3rd party patch and so far I highly recommend it for home and small office users. Don't unregister the VML DLL as described above if you decide to use this patch. Also, you should rollback this fix (method provided with the patch download) before patching to Microsoft's official critical update for the issue - when it's finally released.