How To Defend Against IE's VML Bug

TechWeb ^ | September 20, 2006 | Gregg Keizer

[Eagle9]

Although Microsoft has acknowledged that in-the-wild exploits are taking advantage of an unpatched flaw in Internet Explorer, the developer has not committed to cranking out a fix before next month's regularly-scheduled update on Oct. 10. Users who want to protect themselves now, however, do have options.

Disable the vulnerable .dll: In the security advisory posted yesterday, Microsoft suggested that users can disable the vulnerable "Vgx.dll" from the command line.

-- Click Start, choose Run, and then type

-- regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

-- Click OK, then click OK again in the confirmation dialog that appears.

To undo the command, use:

-- regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

Use Group Policy to propagate .dll disabling: Microsoft's workarounds don't include this time saver, but an independent researcher has posted templates for creating a pair of Group Policy objects that disable (or undo that) for all users of a Windows domain.

For the details, head to Jesper Johansson's blog, here.

Disable Binary and Script Behaviors in IE 6: Another purely defensive move recommended by Microsoft is to turn off this scripting feature within the browser. Note, however, that this only protects against the currently-known exploit, which could, of course, morph into something else entirely.

-- Select Tools|Internet Options in IE

-- Click the "Security" tab

-- Click "Internet," then "Custom Level"

-- In the "ActiveX controls and plug-ins" section, under "Binary and Script Behaviors," click "Disable," and then click OK.

Repeat the last step above, but in the "Local intranet" zone.

Use another browser: Several security researchers and organizations have recommended dumping IE 6 in similar zero-day situations, and this was no different.

"One of the easiest ways might be to use Firefox with a plug-in to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences," said the Internet Storm Center in an online alert Wednesday.

Two such plug-ins (called "extensions" in Firefox parlance) that add IE functionality to Firefox are IE Tab and IE View.

In this case, "another browser" can also mean Internet Explorer 7, which is currently in Release Candidate 1. According to a Microsoft spokesman late Tuesday, IE 7 is not vulnerable to the VML bug.

IE 7 RC1 can be downloaded from the Microsoft site.

[Eagle9]

New Exploit Rocks IE, Downloads Scores Of Spyware, Adware (9/19/2006)
http://www.freerepublic.com/focus/f-news/1704561/posts

(excerpt

The new exploit seems to have a connection to WebAttacker, an multi-exploit attack "kit" created by a Russian group that sells for as little as $15 to $20. ,b>"We think that this new exploit is inside a new [version of the] kit," said Sites. "If that's true, then it will end up all over the place."

Sites said he expects that the exploit will migrate to one of the so-called "iframe cash" sites -- the term comes from the iframecash.biz site -- which use affiliates to push unpatched exploits to a large number of other Web sites, some of which are legitimate addresses whose servers have been previously compromised.

"This could end up being in lots and lots of places," said Sites.

________________________________________________________________

If it does spread to legitimate addresses that have vulnerable servers, then waiting until October 10 for a patch for IE could be very risky.

[P-40]

Use another browser:

That is some good advice there. :)

[Red Badger]

USE FIREFOX!!!!!!!!!!!!!!!.........

[Red Badger]

IE has more flaws than hundred dollar diamond..........

[Fury]

Thanks for posting...

[Eagle9]

"One of the easiest ways might be to use Firefox with a plug-in to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences," said the Internet Storm Center in an online alert Wednesday.

Two such plug-ins (called "extensions" in Firefox parlance) that add IE functionality to Firefox are IE Tab and IE View.

If Microsoft Windows Update web site will accept Firefox with either of those two extensions, then banking and MS Exchange/Outlook Web Mail and other IE only web sites should also accept it.

[firewalk]

bttt

[Eagle9]

IE has more flaws than hundred dollar diamond..........

Man, you're cold. LOL

Yes, I've used Firefox for years ... since it was Phoenix .07

[Eclectica]

Should we "dial-ups" be concerned?

[HOYA97]

Why are Mac's not affected by virus's? Is this in fact true? I am considering getting one for work and I would like your comments.

Thanks!

[Eagle9]

Should we "dial-ups" be concerned?

Usually broadband users are the primary target. In this case, you could visit a web site whose server has been exploited and the HTML of that site would automatically download the malware. The trojans, keyloggers, and over 40 different malware can be in such small packets that you wouldn't notice the download. I am not an expert on this subject, but I think that is correct.

"First they were pushing Virtumondo adware," said Sites, "but by late afternoon yesterday, these sites were distributing more than 40 different types of malware, including keyloggers, adware, and backdoors."

Other researchers spotted the exploit on popular shared hosting distribution sites. The current in-the-wild exploit generates a stack overflow as soon as the user views an HTML page; once that happens, the attacker can push whatever code he wants onto the PC. "We're seeing this on dozens of different sites," said Gunter Ollmann, the director of Internet Security Systems' X-force research lab.

[FReepaholic]

Thanks for posting this. I've followed the instructions for creating the GPO and have applied it to our test network for testing.

[petro45acp]

"Why are Mac's not affected by virus's? Is this in fact true? I am considering getting one for work and I would like your comments.

Thanks!"

On possible reason is market share. Mac/Apple, although out there in a bunch of schools, doesn't have the market penetration of MS platforms. No big target, no (fewer) folks trying to exploit the boxes.

Another is operating system. MacOS has never been particularly vulnerable (again, few folks using it), and OSX is a UNIX OS.

Finally who actually uses the system? Few businesses and/or government agencies use Mac. The user base is mostly folk who need a reliable, comfortable to use, and safe connection to the internet.

Random thoughts.

Cheers

[Eagle9]

Why are Mac's not affected by virus's? Is this in fact true? I am considering getting one for work and I would like your comments.

I've never used a Mac but I think HAL9000 will know the answer to your question.

[VeniVidiVici]

Summary of all MS threads:

Blah, blah, blah, Firefox. Blah, blah, blah, MS sucks. Blah, blah, blah Mac. Blah, blah, blah why people still use is beyond me. Blah, blah, blah Linux.

[js1138]

Server 2003 is not vulnerable. PCs having a decent virus scanner or anti-spyware program are not vulnerable. I'm betting that 64 bit cpus are not vulnerable.

[LexBaird]

Why are Mac's not affected by virus's?

Lots of reasons. The big one is that the default account isn't an Admin account with root access privileges. Another is that it questions you when installing software, and requires a password. Another is that, since OSX, the operating system is UNIX based, and doesn't have the legacy holes that Windows has. Another is that it's a harder target with a smaller payoff. Another is that most OSX users don't use IE, which has been discontinued for Macs. Another is that the built-in firewall is on by default and you have to override it purposefully to open up remote access.

Macs are not immune; there just hasn't been any successful exploits in the wild yet. The only malware I've ever suffered on a Mac in 15 years was the macro virus that effected (you guessed it) Microsoft Office, and that was long before OSX.

[Leisler]

"Why are Mac's not affected ?

Who would want to hack into a computer from a guy who lives in the woods in a converted school bus and wants to trade organic root vegetables for a rebuilt starter for a 1981 Volvo 240?

[LexBaird]

On possible reason is market share. Mac/Apple, although out there in a bunch of schools, doesn't have the market penetration of MS platforms. No big target, no (fewer) folks trying to exploit the boxes.

That may account for a small part of it, but there are millions and millions of Macs out there. Scoring the first virus hit on them would make a very tempting target for the malware scum.

However, I think most malware attacks have gone beyond the nerd hobby boyz. Most of it seems run by organized crime and hostile governments, these days. More profitable to target institutional users than individuals. They'd much rather have a keysroke logger in a bank clerk's PC than some Art Director's Mac at an advertising shop.

[LexBaird]

Who would want to hack into a computer from a guy who lives in the woods in a converted school bus and wants to trade organic root vegetables for a rebuilt starter for a 1981 Volvo 240?

Like Rush Limbaugh or GWB, for example? Yep, no one would want to hack those guys.

[HAL9000]

Why are Mac's not affected by virus's? Is this in fact true? I am considering getting one for work and I would like your comments.

It's true. Apple's Mac OS X operating system is designed to resist viruses better than Windows. It is possible that a virus will spread on Macs someday, but so far Mac users have been very fortunate compared to our Windows-using friends.

There are dozens of reasons why Windows is plagued with viruses, worms and spyware. Much of the Windows operating system was designed before the Internet became popular, so Microsoft did not use good coding practices. Microsoft also decided to leave many unnecessary communications ports open without a firewall until recently. Viruses can obtain administrative privileges more easily on Windows than on Macs. Microsoft e-mail programs used to automatically execute viruses that were attached to messages.

There is a myth that viruses writers don't try to attack Macs because Windows is more popular. But the popularity of Windows does ensure that viruses spread more quickly on that platform.

Better security is one good reason to get a Mac, but there are several others - better software, better reliability, better productivity - and Macs are just more fun to use than Windows computers.

[MadIvan]

I use Swiftfox, a variant of Firefox for Linux. No problems here.

Regards, Ivan

[LexBaird]

I am considering getting one for work and I would like your comments.

What kind of work do you do?

[Astronaut]

Better yet, get a Macintosh. No viruses. No spyware. Safe and secure browsing.

[TXnMA]

Lol!! I was just typing up a similar response: that the only successful attack I had seen on a Mac was the MSOffice Micro 'way back in the 90's. IIRC, we killed it on our network by disabling Office itself, and just running the individual MS application(s) we needed at the time...

[TXnMA]

You should let someone who actuallly knows something about Macs answer that question. All you succeeded in doing was advertising your ignorance and MS prejudice. Hope you enjoy sucking on the MS marketing koolaid teat... :-(

[Leisler]

Which linux are you running?

[MadIvan]

Ubuntu Dapper Drake. It's the best OS I've used. I do like PC BSD as well, however.

Regards, Ivan

[KayEyeDoubleDee]

If Microsoft Windows Update web site will accept Firefox with either of those two extensions, then banking and MS Exchange/Outlook Web Mail and other IE only web sites should also accept it

Interesting. It sounds like the Firefox plugin is allowing other activeX controls to run. But I wonder if they run in the context of Firefox (which I would need for the MS Ex/Outlook webmail) or if they just run in the background (ie to do MS installations, dll registrations, etc.)

[Eagle9]

Interesting. It sounds like the Firefox plugin is allowing other activeX controls to run. But I wonder if they run in the context of Firefox (which I would need for the MS Ex/Outlook webmail) or if they just run in the background (ie to do MS installations, dll registrations, etc.)

I just now checked on IEView and IETab at Mozilla.org and both simply run IE simultaneously with Firefox. If you're looking for an easy way to use IE on one web site, like a bank, or some other reason while you're using Firefox, either of the two would do it.

[Toby06]

How do you clean it out if you already have it?

[COEXERJ145]

I've been using IE7 since it was in Beta. Works great for me.

[Eagle9]

How do you clean it out if you already have it?

If you're running an anti-virus program like McAfee or Norton, scan then follow their instructions. You can also run a scan online at either of tthee following links. You will also need to download, install, and run Spybot Search & Destroy for all the malware that's been associated with the VML exploit. You will probably need to run other malware detectors, since one rarely catches and removes all malware. In WinXP run the Malicious Software Removal Tool located in your All Programs menu.

TrendMicro Housecall
http://housecall.trendmicro.com/

avast! Online Scanner
http://onlinescan.avast.com/

Download link for SpyBot Search & Destroy
http://www.spybot.info/en/download/index.html

[Toby06]

Geez, I run Norton, AVG free, Adaware and Spybot daily,

My kids must have hit some bad porn!

[Eagle9]

I use Swiftfox, a variant of Firefox for Linux. No problems here.

It's good to see you, MadIvan. I've always enjoyed reading the articles and essays you post, and your comments.

I have a laptop and a desktop that I don't use but keep in case this desktop has problems. Both of the older ones are still running Win98 and Win98SE, respectively. I've thought about installing a 'novice' version of Linux in a separate partition on one of them. I haven't yet because I don't think have enough technical knowledge to run Linux.

[Eagle9]

Anti-virus programs and malware detect/remove apps need updated databases to detect and remove what has been downloaded onto your computer. I just read a new article that says the VML 'bug' has already been updated/changed. I'm not sure if the databases had been updated to detect all of what the original version was downloading to computers.

IE Exploit Could Soon Be Used By 10,000-plus Sites
http://www.techweb.com/wire/security/193004128;jsessionid=UFDKNTP55TK0OQSNDLRSKHSCJUNN2JVN

[papasmurf]

Well, that would be your opinion, sir. There are, at least, 10 virus and trojan/worms out there aimed at macs as we type. Just google for them.

To put it bluntly, no apologies here, anyone who doesn't protect their box, no matter the OS, in these days, is an idiot. Anti-virus, anti-malware, anti-trojan, etc. protection is a must, even a child is aware of that.

And, BTW, ie7 is fantastic!

You speak of productivity. In the PC world, Microsoft brought it to the masses. Still does. Macs do what? Make cute little squiggles and fancy artwork used by pros. If it weren't for M$, mac would never have upgraded...how many different variations and OS's do they have now? I can run apps today on Win 2k, XP, and Vista, that were written 20 years ago for DOS and then Win3x, let's see you do that on OSX. LOL
You speak of better software. How's that? Mac's most popular office app is made by M$. I have many mac apps that OSX won't even recognize, let alone run 'em. Everything mac is an attempt to appear as advanced as M$.
You speak of reliability. I have 486's running Win 95 and 98, right along side of my Power Mac ( which, nowadays I only use for making and testing Filemaker db's) Wanna' guess which crashes more?

I'm not in love with bill, nor his company, but give the man his due, would ya? Without MS, millions of people would never have had the opportunity or ability to become as productive or successful as they are. Can you honestly say that about mac?

Please, get off the bash Micro$not campaign.

Would you really like to take M$ down a notch, in an honorable way? Good, then contribute to something like this:http://www.reactos.org/en/index.html




:O)

P

[Uriah_lost]

It's about volume, more people use IE and therefor virus writers and exploiters target the most common denominator. If Apple were more popular than Windows boxes they would be the ones attacked. Linux does have the advantage of having an army of geekish types that hunt/fix flaws but it's likely a similar issue of not being on top and thereby avoiding the attention of the most prolific adware/malware/virus/exploit writers.

[HAL9000]

"There are, at least, 10 virus and trojan/worms out there aimed at macs as we type. Just google for them."

Well, they aren't working. Over 20 million Mac OS X users are running with no special protection, and none are getting infected. A handful of Mac OS X users have downloaded a trojan horse, but that's about the only problem so far. Firewalls and anti-virus software are good things to have - but so far, Mac users have survived without them.

"And, BTW, ie7 is fantastic!"

I doubt it, but Safari and Firefox are excellent web browsers.

"Mac's most popular office app is made by M$."

Yes, Microsoft Office for Mac is available, and supposedly it's better than the version for Windows.

"I have many mac apps that OSX won't even recognize, let alone run 'em."

There is emulation software available for those old 68000-based apps, but I'm glad Apple isn't wasting their time trying to support obsolete software.

"Without MS, millions of people would never have had the opportunity or ability to become as productive or successful as they are. Can you honestly say that about mac?"

Absolutely yes.

"Please, get off the bash Micro$not campaign."

Everybody loves to bash Microsoft. It's a national pastime.

[MadIvan]

You can try out Ubuntu without installing it on your laptop - just use their Desktop CD, have it boot up from the CD ROM drive. There is a learning curve, but it's not bad.

Regards, Ivan

[DollyCali]

thank you!!!!!

[RS]

"Scoring the first virus hit on them would make a very tempting target for the malware scum."

First ? from 2004

Destructive OS X malware spies on Apple users
http://www.zdnet.com.au/news/security/soa/Destructive_OS_X_malware_spies_on_Apple_users/0,130061744,139164062,00.htm



... and each quarter there are more PC's sold then the combined total of every Mac EVER sold.

[RS]

"Firewalls and anti-virus software are good things to have - but so far, Mac users have survived without them."

Uh - since 10.3 dosen't OSX have a built-in firewall ?

I suppose the Mac design folks have decided it's a good idea to have one.

[HAL9000]

Uh - since 10.3 dosen't OSX have a built-in firewall ?

It does, but it's turned off by default. It can be activated in the System Preferences - Sharing control panel.

More importantly, Mac OS X doesn't have any unnecessary open ports or services running.

[RS]

"It does, but it's turned off by default."

Oh - OK ... that makes sense ...

[montag813]

Users who want to protect themselves now, however, do have options.

Yes they do

[Tribune7]

OSX has yet to be infected by a virus and Apple brags about it, so any hacker who proves them wrong gets elected King of the Script Kiddies.

The reasons are summed up on Apple's site, the most important being that Windows plus IE is just very easy to exploit.

[RS]

2003.08.13

Switchback Virus Infects Macs, Nobody Notices

http://www.lowendmac.com/lite/03/0813.html

[Darnright]

bump

[BlessedBeGod]

A couple of questions:

1) Re "Disable the vulnerable .dll":
What is that .dll used for, and what will be affected if it's disabled?


2) Re disabling Binary and Script Behaviors in IE6 and the following instructions:
(-- Select Tools|Internet Options in IE
-- Click the "Security" tab
-- Click "Internet," then "Custom Level"
-- In the "ActiveX controls and plug-ins" section, under "Binary and Script Behaviors," click "Disable," and then click OK.)

I don't have anything specifically called "Binary and Script Behaviors" under "Active X Controls and Plug-Ins". All I have are:
Download Signed ActiveX Controls (I already have set as Disabled)
Download Unsigned ActiveX Controls (Disabled)
Initialize and Script ActiveX Controls Not Marked as Safe (Disabled)
Run ActiveX Controls and Plug-Ins (Disabled)
Script ActiveX Controls Marked Safe for Scripting (Disabled)

Am I okay there?

Thanks for your help!