Scott's Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

More on the IE VML Vulnerability

Taken from this Dark Reading article, here are a few ways to protect yourself from the VML vulnerability:

  • Unregister the VML DLL (VGX.DLL, found in Program Files\Common Files\Microsoft Shared) using regsvr32.exe.

  • Apply a restrictive access control list (ACL) to the VGX.DLL file. This weblog entry shows how to help automate this using Group Policy for larger organizations (very handy!).

  • Disable “Binary and Script Behaviors” in Internet Explorer 6. Unfortunately, this measure may only be temporary, as the exploit is moving beyond its original JavaScript-based incarnation (see below).

  • Switch to an alternate browser or use a virtual browser appliance.

In case you’re wondering why it might be important to protect yourself against this vulnerability, take a look at this article describing the scope of the attacks. As many as 10,000 web sites could end up hosting exploit code to take advantage of this vulnerability, and researchers are predicting that an e-mail variation may soon follow.

You can obtain additional information about this vulnerability and the corresponding exploit(s) at the following links:

Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability

Trojan.Vimalov: A zero-day exploit in VML, in Internet Explorer trojanvimalov_a_zeroday_exploi.html


Microsoft Internet Explorer Vector Markup Language 0-Day

Enterprises that don’t want to deploy Group Policy but still want to protect themselves against the vulnerability can use WMIC to remotely run the regsvr32.exe command against remote computers. Of course, this disables VML functionality, but how many enterprises out there actually use VML? Here’s the general command:

wmic /node:<PC name> process call create 
'regsvr32.exe /u "%CommonProgramFiles%\Microsoft Shared\VGX\VGX.DLL"'

As I’ve mentioned before, you could substitute a text file for the PC name above and WMIC will iterate through the list, performing the same task on each PC in the list. To re-enable VML functionality, you could use the same process but remove the “/u” switch from the regsvr32.exe command.

UPDATE: More resources have come to light regarding this VML vulnerability:

Zero-Day Response Team Launches with Emergency IE Patch
Internet Explorer Bug Can Be Exploited Via Email
More Defensive Tactics Against IE’s Newest Vuln

Metadata and Navigation

Be social and share this post!