Supplemental Resources and Links for Episode #58
Resource links for Security Now! Episode #58:

Two Serious New Windows Problems

Late Breaking News (9/26):

Official Microsoft VML Vulnerability
Patch Is Now Available

Windows Update is now carrying
Microsoft's official VML patch.

You should run Windows Update to obtain the patch, reboot your machine as Windows Update will require, then re-register the VGX.DLL file if you had previously unregistered it, since Windows Update does not automatically re-register the previously vulnerable DLL file. (See instructions for re-registering the previously vulnerable DLL below.)

You can then verify that your system is no longer vulnerable by displaying this benign VML vulnerability test page, which will use VML to display two red star filled rectangles:

http://www.isotf.org/zert/testvml.htm
NOTE: You MAY receive a false-positive warning from your Anti-Virus software when you display this page if it has been recently updated to detect exploits of the VML vulnerability. This is NORMAL, expected, and completely benign since the testing page must contain a version of the exploit in order to test whether your browser is susceptible.
If the DLL is NOT re-registered, you will see a blank space instead of the red-filled rectangles. If the DLL is still vulnerable (the patch didn't "take"), your browser will crash harmlessly.

UPDATE: A Third-Party Non-Vendor Patch
and Benign Vulnerability Test is Available

A reputable group known as "ZERT" — Zeroday Emergency Response Team — has produced a very nice GUI and Command Line patch utility which repairs the VML buffer overrun design flaw in Microsoft's VGX.DLL file.

Since VML is very rarely used on the web, "unregistering" the vulnerable DLL to take it completely out of service is probably the more prudent countermeasure. But if you choose to unregister the DLL you will need to remember to re-register it later. And corporate users may wish to employ ZERT's CommandLine tool to patch all Windows systems network-wide. (Full source code is included to allow independent verification of the utility's operation.)

This ZERT page contains the latest information on this alternative:

http://isotf.org/zert/

Additionally, and either way, a simple and benign vulnerability test page is available from their download page. It will (a) crash your IE browser if your system is currently vulnerable, (b) display two red rectangles if your browser has VML enabled (registered) and safely patched, or (c) pop-up a dialog box informing you that your IE is immune to this vulnerability if VGX.DLL is unregistered and you have scripting enabled to allow the pop-up. (If scripting is disabled for untrusted sites you'll just get a blank page.)

See the details of this testing page here:

http://isotf.org/zert/download.htm

Note that using this patching solution will "re-register" the VGX.DLL file for use by your system. So if you want double protection you could patch the file then follow the instructions below to also unregister it (though doing either is also certainly sufficient).



Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 04, 2013 at 18:12 (1,631.14 days ago)Viewed 9 times per day