More on the IE VML Vulnerability21 September 2006 · Filed in Explanation
Taken from this Dark Reading article, here are a few ways to protect yourself from the VML vulnerability:
Unregister the VML DLL (
VGX.DLL, found in
Program Files\Common Files\Microsoft Shared) using
Apply a restrictive access control list (ACL) to the VGX.DLL file. This weblog entry shows how to help automate this using Group Policy for larger organizations (very handy!).
Switch to an alternate browser or use a virtual browser appliance.
In case you’re wondering why it might be important to protect yourself against this vulnerability, take a look at this article describing the scope of the attacks. As many as 10,000 web sites could end up hosting exploit code to take advantage of this vulnerability, and researchers are predicting that an e-mail variation may soon follow.
You can obtain additional information about this vulnerability and the corresponding exploit(s) at the following links:
Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability http://www.symantec.com/enterprise/security_response/vulnerability.jsp?bid=20096
Trojan.Vimalov: A zero-day exploit in VML, in Internet Explorer http://www.symantec.com/enterprise/security_response/weblog/2006/09/ trojanvimalov_a_zeroday_exploi.html
Microsoft Internet Explorer Vector Markup Language 0-Day http://vil.nai.com/vil/Content/v_vul26881.htm
Enterprises that don’t want to deploy Group Policy but still want to protect themselves against the vulnerability can use WMIC to remotely run the
regsvr32.exe command against remote computers. Of course, this disables VML functionality, but how many enterprises out there actually use VML? Here’s the general command:
wmic /node:<PC name> process call create 'regsvr32.exe /u "%CommonProgramFiles%\Microsoft Shared\VGX\VGX.DLL"'
As I’ve mentioned before, you could substitute a text file for the PC name above and WMIC will iterate through the list, performing the same task on each PC in the list. To re-enable VML functionality, you could use the same process but remove the “/u” switch from the
UPDATE: More resources have come to light regarding this VML vulnerability:Tags: IE · Security · Web Previous Post: New Zero-Day IE Exploits Next Post: Cocoalicious Woes