How To Defend Against IE's VML Bug

TechWeb ^ | September 20, 2006 | Gregg Keizer

[Eagle9]

Although Microsoft has acknowledged that in-the-wild exploits are taking advantage of an unpatched flaw in Internet Explorer, the developer has not committed to cranking out a fix before next month's regularly-scheduled update on Oct. 10. Users who want to protect themselves now, however, do have options.

Disable the vulnerable .dll: In the security advisory posted yesterday, Microsoft suggested that users can disable the vulnerable "Vgx.dll" from the command line.

-- Click Start, choose Run, and then type

-- regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

-- Click OK, then click OK again in the confirmation dialog that appears.

To undo the command, use:

-- regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

Use Group Policy to propagate .dll disabling: Microsoft's workarounds don't include this time saver, but an independent researcher has posted templates for creating a pair of Group Policy objects that disable (or undo that) for all users of a Windows domain.

For the details, head to Jesper Johansson's blog, here.

Disable Binary and Script Behaviors in IE 6: Another purely defensive move recommended by Microsoft is to turn off this scripting feature within the browser. Note, however, that this only protects against the currently-known exploit, which could, of course, morph into something else entirely.

-- Select Tools|Internet Options in IE

-- Click the "Security" tab

-- Click "Internet," then "Custom Level"

-- In the "ActiveX controls and plug-ins" section, under "Binary and Script Behaviors," click "Disable," and then click OK.

Repeat the last step above, but in the "Local intranet" zone.

Use another browser: Several security researchers and organizations have recommended dumping IE 6 in similar zero-day situations, and this was no different.

"One of the easiest ways might be to use Firefox with a plug-in to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences," said the Internet Storm Center in an online alert Wednesday.

Two such plug-ins (called "extensions" in Firefox parlance) that add IE functionality to Firefox are IE Tab and IE View.

In this case, "another browser" can also mean Internet Explorer 7, which is currently in Release Candidate 1. According to a Microsoft spokesman late Tuesday, IE 7 is not vulnerable to the VML bug.

IE 7 RC1 can be downloaded from the Microsoft site.

[HAL9000]

Why are Mac's not affected by virus's? Is this in fact true? I am considering getting one for work and I would like your comments.

It's true. Apple's Mac OS X operating system is designed to resist viruses better than Windows. It is possible that a virus will spread on Macs someday, but so far Mac users have been very fortunate compared to our Windows-using friends.

There are dozens of reasons why Windows is plagued with viruses, worms and spyware. Much of the Windows operating system was designed before the Internet became popular, so Microsoft did not use good coding practices. Microsoft also decided to leave many unnecessary communications ports open without a firewall until recently. Viruses can obtain administrative privileges more easily on Windows than on Macs. Microsoft e-mail programs used to automatically execute viruses that were attached to messages.

There is a myth that viruses writers don't try to attack Macs because Windows is more popular. But the popularity of Windows does ensure that viruses spread more quickly on that platform.

Better security is one good reason to get a Mac, but there are several others - better software, better reliability, better productivity - and Macs are just more fun to use than Windows computers.

[MadIvan]

I use Swiftfox, a variant of Firefox for Linux. No problems here.

Regards, Ivan

[LexBaird]

I am considering getting one for work and I would like your comments.

What kind of work do you do?

[Astronaut]

Better yet, get a Macintosh. No viruses. No spyware. Safe and secure browsing.

[TXnMA]

Lol!! I was just typing up a similar response: that the only successful attack I had seen on a Mac was the MSOffice Micro 'way back in the 90's. IIRC, we killed it on our network by disabling Office itself, and just running the individual MS application(s) we needed at the time...

[TXnMA]

You should let someone who actuallly knows something about Macs answer that question. All you succeeded in doing was advertising your ignorance and MS prejudice. Hope you enjoy sucking on the MS marketing koolaid teat... :-(

[Leisler]

Which linux are you running?

[MadIvan]

Ubuntu Dapper Drake. It's the best OS I've used. I do like PC BSD as well, however.

Regards, Ivan

[KayEyeDoubleDee]

If Microsoft Windows Update web site will accept Firefox with either of those two extensions, then banking and MS Exchange/Outlook Web Mail and other IE only web sites should also accept it

Interesting. It sounds like the Firefox plugin is allowing other activeX controls to run. But I wonder if they run in the context of Firefox (which I would need for the MS Ex/Outlook webmail) or if they just run in the background (ie to do MS installations, dll registrations, etc.)

[Eagle9]

Interesting. It sounds like the Firefox plugin is allowing other activeX controls to run. But I wonder if they run in the context of Firefox (which I would need for the MS Ex/Outlook webmail) or if they just run in the background (ie to do MS installations, dll registrations, etc.)

I just now checked on IEView and IETab at Mozilla.org and both simply run IE simultaneously with Firefox. If you're looking for an easy way to use IE on one web site, like a bank, or some other reason while you're using Firefox, either of the two would do it.

[Toby06]

How do you clean it out if you already have it?

[COEXERJ145]

I've been using IE7 since it was in Beta. Works great for me.

[Eagle9]

How do you clean it out if you already have it?

If you're running an anti-virus program like McAfee or Norton, scan then follow their instructions. You can also run a scan online at either of tthee following links. You will also need to download, install, and run Spybot Search & Destroy for all the malware that's been associated with the VML exploit. You will probably need to run other malware detectors, since one rarely catches and removes all malware. In WinXP run the Malicious Software Removal Tool located in your All Programs menu.

TrendMicro Housecall
http://housecall.trendmicro.com/

avast! Online Scanner
http://onlinescan.avast.com/

Download link for SpyBot Search & Destroy
http://www.spybot.info/en/download/index.html

[Toby06]

Geez, I run Norton, AVG free, Adaware and Spybot daily,

My kids must have hit some bad porn!

[Eagle9]

I use Swiftfox, a variant of Firefox for Linux. No problems here.

It's good to see you, MadIvan. I've always enjoyed reading the articles and essays you post, and your comments.

I have a laptop and a desktop that I don't use but keep in case this desktop has problems. Both of the older ones are still running Win98 and Win98SE, respectively. I've thought about installing a 'novice' version of Linux in a separate partition on one of them. I haven't yet because I don't think have enough technical knowledge to run Linux.

[Eagle9]

Anti-virus programs and malware detect/remove apps need updated databases to detect and remove what has been downloaded onto your computer. I just read a new article that says the VML 'bug' has already been updated/changed. I'm not sure if the databases had been updated to detect all of what the original version was downloading to computers.

IE Exploit Could Soon Be Used By 10,000-plus Sites
http://www.techweb.com/wire/security/193004128;jsessionid=UFDKNTP55TK0OQSNDLRSKHSCJUNN2JVN

[papasmurf]

Well, that would be your opinion, sir. There are, at least, 10 virus and trojan/worms out there aimed at macs as we type. Just google for them.

To put it bluntly, no apologies here, anyone who doesn't protect their box, no matter the OS, in these days, is an idiot. Anti-virus, anti-malware, anti-trojan, etc. protection is a must, even a child is aware of that.

And, BTW, ie7 is fantastic!

You speak of productivity. In the PC world, Microsoft brought it to the masses. Still does. Macs do what? Make cute little squiggles and fancy artwork used by pros. If it weren't for M$, mac would never have upgraded...how many different variations and OS's do they have now? I can run apps today on Win 2k, XP, and Vista, that were written 20 years ago for DOS and then Win3x, let's see you do that on OSX. LOL
You speak of better software. How's that? Mac's most popular office app is made by M$. I have many mac apps that OSX won't even recognize, let alone run 'em. Everything mac is an attempt to appear as advanced as M$.
You speak of reliability. I have 486's running Win 95 and 98, right along side of my Power Mac ( which, nowadays I only use for making and testing Filemaker db's) Wanna' guess which crashes more?

I'm not in love with bill, nor his company, but give the man his due, would ya? Without MS, millions of people would never have had the opportunity or ability to become as productive or successful as they are. Can you honestly say that about mac?

Please, get off the bash Micro$not campaign.

Would you really like to take M$ down a notch, in an honorable way? Good, then contribute to something like this:http://www.reactos.org/en/index.html




:O)

P

[Uriah_lost]

It's about volume, more people use IE and therefor virus writers and exploiters target the most common denominator. If Apple were more popular than Windows boxes they would be the ones attacked. Linux does have the advantage of having an army of geekish types that hunt/fix flaws but it's likely a similar issue of not being on top and thereby avoiding the attention of the most prolific adware/malware/virus/exploit writers.

[HAL9000]

"There are, at least, 10 virus and trojan/worms out there aimed at macs as we type. Just google for them."

Well, they aren't working. Over 20 million Mac OS X users are running with no special protection, and none are getting infected. A handful of Mac OS X users have downloaded a trojan horse, but that's about the only problem so far. Firewalls and anti-virus software are good things to have - but so far, Mac users have survived without them.

"And, BTW, ie7 is fantastic!"

I doubt it, but Safari and Firefox are excellent web browsers.

"Mac's most popular office app is made by M$."

Yes, Microsoft Office for Mac is available, and supposedly it's better than the version for Windows.

"I have many mac apps that OSX won't even recognize, let alone run 'em."

There is emulation software available for those old 68000-based apps, but I'm glad Apple isn't wasting their time trying to support obsolete software.

"Without MS, millions of people would never have had the opportunity or ability to become as productive or successful as they are. Can you honestly say that about mac?"

Absolutely yes.

"Please, get off the bash Micro$not campaign."

Everybody loves to bash Microsoft. It's a national pastime.

[MadIvan]

You can try out Ubuntu without installing it on your laptop - just use their Desktop CD, have it boot up from the CD ROM drive. There is a learning curve, but it's not bad.

Regards, Ivan