Monday, January 21, 2019
  • Home
  •             

IE VML Exploit

September 23rd, 2006 by Patrick S

Once again there is a browser vulnerability that allows for the remote execution of code. And the only action necessary to become infected is to view a malicious webpage using Internet Explorer or an HTML formatted e-mail.

It was discovered in the wild by Sunbelt. Microsoft published Microsoft Security Advisory (925568) yesterday regarding the issue. The update is currently scheduled for October 10th – the next regular patch Tuesday.

Like the WMF exploit it is advised to unregister the susceptible dll from the system as a workaround for the vulnerability.

To unregister the dll you should execute from Start, Run:
regsvr32 /u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

This differs slightly from Microsoft’s recommendation – so as to include localized versions of Windows.

The vgx.dll component solely handles Vector Markup Language (VML). VML is a description format for browsers to draw vector graphics. Not too many websites use this format today – but rather display plain images. Also – it’s only supported by Internet Explorer. Opera and Firefox implement Scalable Vector Graphics (SVG).

Use this link with IE to see an example of VML. If you have the dll registered, you’ll see a clock. Once unregistered, you shouldn’t see anything.

Microsoft’s Outlook e-mail client is also potentially vulnerable for this exploit. But fortunately e-mail is treated as if from Restricted Sites by default, where Binary and Scripting Behaviors is disabled. By using a web-mail client and Internet Explorer you might still be vulnerable.

Update:
There’s an unsupported third party patch for the VML vulnerability available at ZERT. (untested)

But it’s good to know something is available if this VML thingy really gets out of hand (which it hasn’t yet).

Updated to add: Your mileage may vary – this patch might not work with everyone. See discussion at PC Doctor Guides.

Update 2: Seems that this exploit does not apply to IE 7 🙂

Source: Fsecure

Posted in Internet Explorer, MS News, Security | 5 Comments »


This entry was posted on Saturday, September 23rd, 2006 at 8:29 pm and is filed under Internet Explorer, MS News, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.


5 Responses

  1. Sandi Says:

    It should be noted that Internet Explorer 7 is immune to this vulnerability:
    http://msmvps.com/blogs/spywaresucks/archive/2006/09/23/137132.aspx

  2. Patrick S Says:

    ahh thanks for the heads up…ill add it to the article 🙂
    Cool site BTW!

  3. Sean Says:

    Luckily our man Pat didn’t get hit by it 😛

  4. Patrick S Says:

    You can only try eh!

  5. Sam Says:

    There are also some buffer overflow protection appz for windows (see http://pax.grsecurity.net/ ) They could maybe prevent Windows users from some exploits.