Friday, September 22, 2006

VML Vulnerability, workarounds and a test

Many of you may have heard about a new Zero Day Vulnerability that is being exploited on a large scale around the Internet. Fully patched users of Windows 2000 SP4, Windows XP SP1 and SP2 and both versions of Windows 2003 are exposed to the VML flaw. Infections are rising rapidly - you are at risk if you surf the web.

Yesterday I even found a "trusted" page that was serving ad banners that infected victims' computers by this method. (No link will be provided.)

Microsoft has announced they intend to provide a patch on October 10th, with a slight chance they may release it earlier - but no promises.

VML is not used widely on the Internet yet, with the notable exception of a very few graphically advanced web sites, the bad guys and Google Maps. Regarding Google, if you disable VML it will revert to normal graphic overlays if you bring up a map, so disabling VML will not block your use of their map service.

There are a few workarounds listed on Microsoft's security bulletin. The one I recommend from their bulletin seems to cover all the vectors perfectly. It involves unregistering the VML shared library. To deploy this workaround, click Start, select the Run box, and copy the following into the Open field and click OK. You should see a message appear that says the unregister succeeded.

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Using this work-around will cause sites that depend solely on VML to fail. Later, when the patch from Microsoft is released, you can reverse the workaround (do it before you apply the upcoming patch) by typing into the same run window the following similar command (note the absence of the "-u" in the string.)

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Other workarounds involve disabling JavaScript and ActiveX scripting, but doing that really messes up your web experience for many sites, much more so than simply disabling VML.

And finally there is an excellent third party patch available from Zert that leaves VML functional but closes the vulnerability. On that same page is a link that tests your browser to see if it's vulnerable or not. Use at your own risk, as Microsoft does not endorse and does not recommend it's use. In spite of that, I am now using this 3rd party patch and so far I highly recommend it for home and small office users. Don't unregister the VML DLL as described above if you decide to use this patch. Also, you should rollback this fix (method provided with the patch download) before patching to Microsoft's official critical update for the issue - when it's finally released.

No comments:

Post a Comment

Comments are welcome but moderated to prevent spam links. I usually check them at least once a day in the evenings - so please be patient with me if your comment does not appear quickly.

Thank you.