Internet Explorer 0-day (take 2 of the last few days…)



The last zero day (activeX) seems to be less interesting than this NEW zero-day that really made a news splash in the last day. It looks as though this NEW 0-day affects VML… Incidents.org has good coverage here. Microsoft has an advisory up and they expect to release a patch on the next scheduled patch day (earlier if needed…. ahem….) Sunbelt is blogging about the “epic loads of adware” being pushed into systems via this vulnerability. Now, some workarounds….


ALTERNATIVE BROWSER is the first suggestion.

Unregister the dll responsible for vml….

“regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”

(from incidents.org – re-register after patch is out by the same command without the -u)

One of the lingering questions is IF the IE7 release candidate is vulnerable…. I haven’t tested, but my reading of the advisory suggests that the problem is the underlying WINDOWS dll, it doesn’t appear that it would make a difference which version of IE was installed. If possible, I may put that to the test soon.

–update 5 minutes after post–

I just noticed that incidents.org has a list of antivirus vendor detection (only MS at the moment catches the exploit). Also, they’ve removed the 0day label for this vml vulnerability instead, choosing to call it an “actively exploited unpatched vulnerability” in vml…. From what I read, this may have been known as early as June/July – I’m not clear yet on that angle.

insorg.org is reported as a carrier domain.

Also, The SecurityFix has coverage, he also notes that disabling javascript is enough to mitigate the risk. I’m not sure on this, it may just be that it blunts the exploit in some circumstances. Personally I’d feel a lot better using another browers at the moment….

I know that there are some saying that firefox is more of a security risk than internet explorer, which in some ways is mystifying as we don’t seem to see the massive unknown exploits attacking firefox and there seem to be fewer outstanding unpatched issues for firefox than ie…. Anyway, my personal preference is to have more than one browser installed on the system so you can adapt as the situation needs.

Sunbelt updates the unregister dll workaround with a more “international version friendly” variation…

“regsvr32 -u “%CommonProgramFiles%Microsoft SharedVGXvgx.dll ”

javascript is just being used to cloak the exploit in some cases, so disabling javascript will prevent SOME of the current approaches to delivering the exploit, but not all.

–update 9/21/06–

It does seem that now the javascript disabling is fairly useless as javascript was just a cloaking method. Other methods have been spotted that disabling javascript does not blunt.

It DOES sound as though hardware enforced DEP can block it (George Ou) and he notes that even software enforced dep is claimed to stop the exploit as well (initially the wmf exploit was claimed to be stopped by software dep (Microsoft claimed this in an initial bulletin), a statement which was later proven false.) It’s too bad that SOME people still make software that’s incompatible with hardware DEP. (HP printer driver for the deskjet 5550 for instance.) I’m sure there are many software vendors that could help out the world by making sure their software is DEP compatible.

Code for the exploit is now publicly available and you might expect uptake to continue on the “usual suspect” type of sites.

Related Posts

Blog Traffic Exchange Related Posts
  • WMF exploit through indexing software One of the vectors that has been mentioned early on is the infection of a system through the WMF exploit even when the exploited file was downloaded through a dos command shell. At first this seemed absurd, but it appeared that Google Desktop search was indexing files dynamically and once......
  • Microsoft should use a /home partition.... I saw this yesterday or day before... George Ou has said that Microsoft should move user data to it's own volume (or partition). He is ABSOLUTELY RIGHT. I think these days the default install for any modern operating system ought to assume you care enough about your data to seperate......
  • Microsoft Update day for September.... AND Flash... AND Apple Yesterday, of course, Microsoft released it's monthly patches. I found the Windows update site to be painfully slow (and in some cases unresponsive.) It wasn't quite a huge update day by recent standards, but here's the summary.... Incidents.org has a nice chart showing the two re-released patches (one is actually......
Blog Traffic Exchange Related Websites
  • Registry Errors – Today Itself Fix Your PC by Uncovering Registry Errors In Your Windows You should fix the registry errors because of the performance issues with your computer like slow speed which mostly is brought due to registry errors. Many of the times the users are unconscious of such type of errors due to which they are not correctly addressed. For repairing this error......
  • Free Financial Management Software When it comes to your getting out of debt, having the right software can actually make a real world of difference. Some people tend to manage their efforts at debt reduction with something that is as simple and as straight forward as a computer spreadsheet while other people tend toward......
  • Microsoft Blogs Review Reading and reviewing corporate blogs from other companies is a great way to learn a little bit more about your own blog. Microsoft has a large community of blogs, and a wide variety of bloggers writing in numerous blogs within this community. There are a number of employee blogs in......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site