The last zero day (activeX) seems to be less interesting than this NEW zero-day that really made a news splash in the last day. It looks as though this NEW 0-day affects VML… Incidents.org has good coverage here. Microsoft has an advisory up and they expect to release a patch on the next scheduled patch day (earlier if needed…. ahem….) Sunbelt is blogging about the “epic loads of adware” being pushed into systems via this vulnerability. Now, some workarounds….
ALTERNATIVE BROWSER is the first suggestion.
Unregister the dll responsible for vml….
“regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”
(from incidents.org – re-register after patch is out by the same command without the -u)
One of the lingering questions is IF the IE7 release candidate is vulnerable…. I haven’t tested, but my reading of the advisory suggests that the problem is the underlying WINDOWS dll, it doesn’t appear that it would make a difference which version of IE was installed. If possible, I may put that to the test soon.
–update 5 minutes after post–
I just noticed that incidents.org has a list of antivirus vendor detection (only MS at the moment catches the exploit). Also, they’ve removed the 0day label for this vml vulnerability instead, choosing to call it an “actively exploited unpatched vulnerability” in vml…. From what I read, this may have been known as early as June/July – I’m not clear yet on that angle.
insorg.org is reported as a carrier domain.
I know that there are some saying that firefox is more of a security risk than internet explorer, which in some ways is mystifying as we don’t seem to see the massive unknown exploits attacking firefox and there seem to be fewer outstanding unpatched issues for firefox than ie…. Anyway, my personal preference is to have more than one browser installed on the system so you can adapt as the situation needs.
Sunbelt updates the unregister dll workaround with a more “international version friendly” variation…
“regsvr32 -u “%CommonProgramFiles%Microsoft SharedVGXvgx.dll ”
It DOES sound as though hardware enforced DEP can block it (George Ou) and he notes that even software enforced dep is claimed to stop the exploit as well (initially the wmf exploit was claimed to be stopped by software dep (Microsoft claimed this in an initial bulletin), a statement which was later proven false.) It’s too bad that SOME people still make software that’s incompatible with hardware DEP. (HP printer driver for the deskjet 5550 for instance.) I’m sure there are many software vendors that could help out the world by making sure their software is DEP compatible.
Code for the exploit is now publicly available and you might expect uptake to continue on the “usual suspect” type of sites.
Related PostsRelated Posts
- Sophos suggests.... for more safety - get a Mac Analyzing the state of the computer world.... Sophos Antivirus has suggested that consumers consider a Mac for their next PC if they're concerned about the increasing swarm of malware targetting Windows PC's. The main point being there are no ACTIVE malware threats against Mac systems and Windows still seems to......
- Google Earth for Linux One of the big linux news stories yesterday was the release of google earth for linux. Essentially the Google earth team has released "release 4" which is a beta version of the next release. It looks like there are greater "user contribution" capabilities with this release. I've tried the download......
- Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
- Microsoft Blogs Review Reading and reviewing corporate blogs from other companies is a great way to learn a little bit more about your own blog. Microsoft has a large community of blogs, and a wide variety of bloggers writing in numerous blogs within this community. There are a number of employee blogs in......
- SAINT 7.9 Product Release From Saint Newletter: Key New Features in SAINT 7.9 Vulnerability Scanner Microsoft Patch Tuesday scan policy - This scan policy checks for the latest published Microsoft Patch Tuesday vulnerabilities (2nd Tuesday of each month) New Vulnerability Check Type Coverage now includes - Blind SQL injection Flash application - Flash application......
- MagicJack – Scam or Real Thing? Ever heard of magicJack?Â This is a USB (PC connection) based device that allows you to make and receive phone calls from your PC using a high-speed Internet connection for $19.95 per year.Â What this means is local and long distance calls in the continental US for next to nothing.Â ......
- Exploit for Unpatched Internet Explorer vulnerability
- Microsoft’s unpatched security bugs
- Firefox vulnerabilities and 1.5 Release Candidate
- DoS Exploit for MS-053