Internet Explorer VML Zero-Day exploit protective measures summary

, posted: 21-Sep-2006 16:56

IEHere's a brief summary of what you can do to protect your Windows installation from being compromised by the Vector Markup Language (VML) zero-day vulnerability that is currently circulating on the Web.

Swap operating systems
This drastic measure should take care of the VML exploit, but you may get a bunch of other worries inherent to the OS you're going with.

Swap browsers
I quite like this one. IE6 is hugely long in the tooth, to the point that even Microsoft has started slagging it off. Firefox 1.5.x doesn't suffer from the VML vulnerability, but it does have its own security worries. Opera 9 is a worthy alternative, but there's also Microsoft's new IE7, currently in beta 2. I'm waiting to hear from MS if IE7 too is vulnerable to the VML hole. It might be, as it looks like it too has support for VML but on the other hand, IE7 runs in a "sandbox" that is meant to mitigate these kinds of attacks but does it work on XP too?

Enable Data Execution Protection (DEP)
Windows XP SP2 introduced a new feature called DEP, which you can find if you head to Control Panel and click on the System icon. Click on the Performance button, and this dialog will pop up:

Newer Intel and AMD processors have hardware DEP in the form of an NX (no execute) or XD (execute disable) bit. As you can see above, my processor doesn't have it, but the guys at the SecuriTeam Blog say that software DEP too stops the VML exploit. Turn on DEP for all programs and make sure that Internet Explorer isn't on the exception list.

Note that you have to restart your machine for the DEP change to work.

This is an easy to catch the VML exploit that's recommended. I've had software DEP enabled since SP2 came out, and haven't encountered any compatibility issues with it so far. That's not to say there are none of course.

You can also edit boot.ini and add the OptOut switch to the boot stanza, but it's much easier to use the above dialog.

Browse as a user with limited privileges
SecuriTeam points to this article from 2004 by Michael Howard, which gives you the skinny on how to run various high-risk apps like web browsers with non admin privileges. Not for beginners, this one, but seasoned admins and power users might want to take a look at it.

Turn off VML support
This is one of Microsoft's suggestions, but it does mean that VML apps no longer work. Then again, who uses VML?

Click the Start button and select Run; in the dialog, type in:

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

If it works, you'll see this confirmation dialog:


Undoing this is as easy as running the regsvr32 programme without the -u switch:

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Give vgx.dll a more restrictive Access Control List
Another Microsoft suggestion, done from the CMD prompt this time. You type in:

cacls y| %ProgramFiles%\CommonFiles\Microsoft Shared\VGX\vgx.dll /d everyone

and hit return. Again, this will kill any VML apps. To undo the restrictive ACL setting, do this in a CMD prompt:

cacls %ProgramFiles%\CommonFiles\Microsoft Shared\VGX\vgx.dll

Switch off "Binary and Script Behaviours" in the Internet and Local Intranet security zones
Unfortunately, I'm not running IE6, but from memory, the dialogs are pretty similar. Go to the Tools menu, and select Internet Options. Click on the Security Tab, and you should see:
Internet Options

Select Internet and click the Custom level button. Page down to the Binary and Script behaviours button:
Security Settings
Disable, click OK, and repeat for the Local Intranet zone as well.

Microsoft also recommends that you read email in plain text only. This is because Microsoft's email programs use IE to render HTML, and you could thus become vulnerable. However, as SecuriTeam points out, most of the exploits so far have been on websites, so this is not sufficient to protect yourself. Either way, you shouldn't use HTML email if you can help it. The Geneva Convention bans it.

Please let me know if you spot any tyops, mistakes or find any further tips to prevent VML 'sploits.

Other related posts:
Do you still use PPTP for your VPN? Don't.
Conficker wreaks havoc
A very non-obvious Firefox security hole plugged

comments powered by Disqus


Google News search
IT News
PC World New Zealand
Computerworld NZ
PC World and Computerworld Australia
PC World US
Computerworld US
NZ Herald
Virus Bulletin

Content copyright © Juha Saarinen. If you wish to use the content of my blog on your site, please contact me for details. I'm usually happy to share my material as long as it's not for spamblogs and content farms. Please attribute with a link back to this blog. If you wish to advertise on my blog, please drop me an email to discuss the details.
Comments policy All comments posted on this blog are the copyright and responsibility of the submitters in question. Comments commercial and promotional in nature are not allowed. Please ensure that your comments are on topic and refrain from making personal remarks.