The last zero day (activeX) seems to be less interesting than this NEW zero-day that really made a news splash in the last day. It looks as though this NEW 0-day affects VML… Incidents.org has good coverage here. Microsoft has an advisory up and they expect to release a patch on the next scheduled patch day (earlier if needed…. ahem….) Sunbelt is blogging about the “epic loads of adware” being pushed into systems via this vulnerability. Now, some workarounds….
ALTERNATIVE BROWSER is the first suggestion.
Unregister the dll responsible for vml….
“regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”
(from incidents.org – re-register after patch is out by the same command without the -u)
One of the lingering questions is IF the IE7 release candidate is vulnerable…. I haven’t tested, but my reading of the advisory suggests that the problem is the underlying WINDOWS dll, it doesn’t appear that it would make a difference which version of IE was installed. If possible, I may put that to the test soon.
–update 5 minutes after post–
I just noticed that incidents.org has a list of antivirus vendor detection (only MS at the moment catches the exploit). Also, they’ve removed the 0day label for this vml vulnerability instead, choosing to call it an “actively exploited unpatched vulnerability” in vml…. From what I read, this may have been known as early as June/July – I’m not clear yet on that angle.
insorg.org is reported as a carrier domain.
I know that there are some saying that firefox is more of a security risk than internet explorer, which in some ways is mystifying as we don’t seem to see the massive unknown exploits attacking firefox and there seem to be fewer outstanding unpatched issues for firefox than ie…. Anyway, my personal preference is to have more than one browser installed on the system so you can adapt as the situation needs.
Sunbelt updates the unregister dll workaround with a more “international version friendly” variation…
“regsvr32 -u “%CommonProgramFiles%Microsoft SharedVGXvgx.dll ”
It DOES sound as though hardware enforced DEP can block it (George Ou) and he notes that even software enforced dep is claimed to stop the exploit as well (initially the wmf exploit was claimed to be stopped by software dep (Microsoft claimed this in an initial bulletin), a statement which was later proven false.) It’s too bad that SOME people still make software that’s incompatible with hardware DEP. (HP printer driver for the deskjet 5550 for instance.) I’m sure there are many software vendors that could help out the world by making sure their software is DEP compatible.
Code for the exploit is now publicly available and you might expect uptake to continue on the “usual suspect” type of sites.
Related PostsRelated Posts
- WMF exploit and DEP There's a bit of controversy over the suggestion that Hardware DEP seemed to protect against the WMF zero day exploit. Sunbeltblog has responded to the controversy. George Ou in the first link above claims that there's a lot of bad advice out about this exploit and that hardware DEP (Data......
- Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
- Google Earth for Linux One of the big linux news stories yesterday was the release of google earth for linux. Essentially the Google earth team has released "release 4" which is a beta version of the next release. It looks like there are greater "user contribution" capabilities with this release. I've tried the download......
- Free Financial Management Software When it comes to your getting out of debt, having the right software can actually make a real world of difference. Some people tend to manage their efforts at debt reduction with something that is as simple and as straight forward as a computer spreadsheet while other people tend toward......
- MagicJack – Scam or Real Thing? Ever heard of magicJack?Â This is a USB (PC connection) based device that allows you to make and receive phone calls from your PC using a high-speed Internet connection for $19.95 per year.Â What this means is local and long distance calls in the continental US for next to nothing.Â ......
- Exploit for Unpatched Internet Explorer vulnerability
- Microsoft’s unpatched security bugs
- Firefox vulnerabilities and 1.5 Release Candidate
- DoS Exploit for MS-053