A quick mitigation for Internet Explorer’s new 0-day vulnerability

The Internet industry press has been milking the news of the end of Windows XP support for much more than it’s worth. Now, over the weekend, we get news of another, in a continuing series of, (0-day) flaws in Internet Explorer.  (Oh My God! It’s the XPocalypse!!)

Or maybe not quite yet.

May 1st, 2014: Microsoft has decided to patch everyone’s
versions of Internet Explorer v6 through v11… even on XP.
So nothing changes yet.  Stay tuned. (And update your IE’s!)

Web browsers are growing incredibly complex. It’s pretty clear that they will be our next-generation operating platforms. And as the last annual “Pwn2Own” contest showed, none of them can currently withstand the focused attention of skilled and determined attackers, especially when some prize money is dangled on the other side of the finish line.

With most recent exploits, the path to exploitation is convoluted and complex and this one is no exception. In this case it depends upon encountering malicious Web content with IE’s ActiveScripting and ActiveX enabled (which is the default in both cases). That will load an Adobe SWF (Shockwave FLASH) file which first prepares the machine for exploitation, then uses JavaScript against the vulnerable version of IE (presently all versions of IE) to exploit a subtle flaw in the age-old and long-ago deprecated VML (vector markup language) rendering library. (Which is, nonetheless, still hanging around “just in case.”)

To immediately protect any use of Internet Explorer – yes, even on creaky old WinXP (the XPocalypse has been delayed):  You must first open a command prompt window with administrative privileges. This is done by right-clicking on the Command Prompt icon in the start menu and selecting “Run As Administrator.” Commands issued within this window will have the privilege required to make system level changes.

32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt.  Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.

You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: http://www.vmlmaker.com/gallery/visio/office_layout.htm. The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the vmlmaker.com domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.

Note: An additional test can be performed by searching the Windows registry (search: Data with “Match whole strings only” disabled) for references to vgx.dll. If it is found showing its location as the “Default” data of an “InprocServer32″ key, then it is still registered and available.

You can confidently leave things this way.. since you are never going to need VML and, as this circus shows, we’re all a lot better off without it!

(My most recent work: An Evaluation of the Effectiveness of Chrome’s CRLSets.)

/Steve.

This entry was posted in Uncategorized. Bookmark the permalink.

92 Responses to A quick mitigation for Internet Explorer’s new 0-day vulnerability

  1. Raymond says:

    Thanks again Steve for keeping us in the know, we all know we shouldn’t depend on the press.
    Rainman

  2. Pingback: New Vulnerability Found in Internet Explorer UA Technology Services

  3. Richard Williams says:

    Thanks Steve. Will this fix still hold true after rebooting?

    • Steve Gibson says:

      Yes. And VML has been completely deprecated by the industry and replaced with HTML5 functions. So it’s HIGHLY unlikely that anyone’s ever going to miss it. Only legacy sites perhaps.

      /Steve.

  4. Jim says:

    SUCCESS!! Thanks, Mr. Gibson. I appreciate your looking out for my safety.

  5. Russell Omens says:

    happy i don’t use it!

  6. Jack Handley says:

    Sigh. I remember the innocent days of SpinRite and Shields Up.

    Thanks.

    Jack Handley

    Jack Handley *Diplomate, Curmudgeonology*

    “Surveillance is necessary for personalized marketing, the primary profit stream of the Internet. ” http://www.schneier.com/essay-420.html

  7. Jim Cooper says:

    read, copy the text and paste it into the run box.

    regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

  8. Pingback: Oh, look, the Windows XPocalypse has been delayed once again (sigh) | It's News to Me!

  9. David Hugh Meagher says:

    Thank you very much Mr Gibson!

  10. michael gwynn says:

    ty, Steve… you’re the lone voice of reason in the tangled jungle of misinformation

  11. Andrew says:

    Didn’t work on my machine (Win 7 SP1 64 bit).

    I had to run:

    “%SystemRoot%\System32\regsvr32.exe” -u “C:\Program Files (x86)\Common Files\microsoft shared\VGX\vgx.dll”

    To unregister the 32 bit version of the dll.

    %CommonProgramFiles% expands to the 64 bit version.

    • Hal S. says:

      To: Andrew (6:25pm)
      Strange – I have a Win7, SP1, 64-bit machine and it seemed to work perfectly. Just searched for ‘command prompt’ in the Start menu search box. That brought up a list; chose “command prompt”; that brought up a DOS type window. There I pasted in Steve’s line, hit return, and a message came back saying the dll was unregistered. Easy. Hope it turns out all right.

      • Andrew says:

        Sorry, by ‘didn’t work’, I mean that IE still displayed vml content (until I ran my version of the command).

        The regsvr32.exe command reported success in both cases.

        • Hi Andrew, you are correct; a second line needs to be added to the batch file in order unregister the x86 version. Here is my file where I’ve added the /S paramenter to make the batch run in silent mode in order to avoid the “press ok” dialog box.

          @echo off
          regsvr32 -u /S “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”
          “%SystemRoot%\System32\regsvr32.exe” -u /S “C:\Program Files (x86)\Common Files\microsoft shared\VGX\vgx.dll”
          exit

          My first time messing around with batch files, I think the syntax is acceptable. This was pushed out via GPO on computer start-up. Tested successfully.

          To validate the script has unregisterred the vgx.dll file, simply open regedit32 and search for the dll file, it should come back with null results.

    • Steve Gibson says:

      Andrew and everyone…
      • I have (so far) been unable to confirm that anything will work in 64-bit Windows. So I’ve edited the post (above) to reflect that this is useful ONLY for 32-bit Windows. :(

      • I’ve also posted the URL of a clean & simple test page.

      • But under the later versions of IE (v10 and v11) switching on “Compatibility Mode” on a 64-bit system continues to display the VML no matter what I’ve tried.

      I MUST prepare for the podcast now so I won’t be able to get back to this until this afternoon.

      Thanks for the heads up. We’ll figure this out. :)

      At least we DO have an immediate solution for IE on 32-bit XP that may not be receiving an update from Microsoft for this.

      /Steve.

  12. alex says:

    Isn’t it simply to uninstall Shockwave? I haven’t ever find it useful.

  13. cpuguru says:

    Where is a good site to test that VML rendering has been disabled successfully?
    I tried the site from Episode #58 but it doesn’t appear to be online any longer: https://www.grc.com/sn/notes-058.htm

  14. Great post. Thanks Steve!!!

  15. steadhouse says:

    Thanks! We’re looking for a good place to test as well, like cpuguru. After unregistering the dll, the “VML Mona Lisa” still displays in IE:

    http://midiwebconcept.free.fr/Demos/MonaLisa.htm

    We’re getting a success message from the regsvr32 command though that the DLL is getting unloaded.

    Is there another way to test?

    Thanks!

  16. Bill says:

    Has anyone successfully done the following: verified IE displays Steve’s VML test page, disabled VML, verified IE does not display the test page? I can’t get the page to display before I disable VML.

    • You can also check to see that the vgx.dll file has been unregistered. Search for it in the Registry before running the command, if running Win7 (64-bit) you will find both 64/32bit versions, one entry for each.

      Run this search before and after execuring the command to validate it has taken effect, you will know it has taken effect if your search comes back NULL.

    • Steve Gibson says:

      Bill…
      Microsoft deprecated VML at IE10. So it’s not available by default. Bit if you set the source domain into “compatibility mode” (see Compatibility Mode in the menu) then it begins to display. (It did for me.) My dilemma is the reverse: now that I’ve got it displaying, I’m unable to prevent it from displaying.

      /Steve.

      • Bill says:

        So, here is what I’ve done with my IE10 and 64-bit Win7:
        1. View the test page in compatibility mode and see the room layout
        2. Run the 32-bit version of the command to disable vgx.dll
        3. Restart IE
        4. Try the test page in compatibility mode and the room layout doesn’t display
        5. To reverse this and view the room layout again, I have to enable vgx.dll, clear the IE cache and restart IE

  17. Pingback: U.S. Government Suggests that You Switch from Internet Explorer - The Vette Barn Forum - A Community for Corvette Lovers

  18. Mark A. Huebner says:

    Thanks Steve!

        All the Best to you and yours,

             Mark A. Huebner

  19. Darth_yoda says:

    There does exist a couple of mitigations for 64 bit-windows versions.
    1. Install Enhanced Mitigation Experience Toolkit 4.1 (lower versions don’t guard against this).
    or
    2. In internet explorer advanced security settings there is a setting called “Enhanced Protected mode”. Also, you may need to enable “enable 64-bit processes for Enhanced protected mode” for this method to be fully effective.

    Both of these solutions are provided by Mr Brian Krebs. Check it out here:

    http://krebsonsecurity.com/2014/04/microsoft-warns-of-attacks-on-ie-zero-day/

  20. Steve Gibson says:

    Everyone…
    I have fully updated the blog posting. The trouble was that I have my Win7/64 locked down pretty tightly, and even though the invocation of the registration server wasn’t giving any errors, it wasn’t changing anything. It is necessary to run from an elevated privilege Command Prompt, as an Administrator… then everything works perfectly. Also, I simplified the commands using the available path variables and eliminating the unneeded path to the System32 directory, which is always in the execution path.

    All works now and makes sense! :)
    /Steve.

  21. Ivan says:

    thank you Steve ….once again

  22. Kal says:

    I tried the batch and I still get the “A VML capable browser is required to display this image.
    Please see http://www.VMLmaker.com technical support for details.” message on the page even though I added the vmlmaker.com domain to the compatibility settings in iexplorer. I am running windows 8 with iexplorer version 10 and of course in 64 bit. Please advise

    • I’m dong this now on 7 old PCs running Windows XP (32 bit) and IE8.
      Compatibility mode make no difference either before or after unregistering vgx.dll.
      Before unregistering I see the office plan.
      After unregistering I don’t get a blank page, I get the message about needing a VML capable browser.
      I guess it must have worked though.

  23. CSorg says:

    That’s OK Kal, it means the vmx.dll is unregistered.

  24. Randy says:

    When trying to view this page in Firefox it tells me the connection is untrusted

  25. MAL says:

    Thanks Steve. I’m deploying this via login scripts in our business this morning. I’d rather secure everything and re-enable on a case by case basis if necessary than run the risk of malicious software getting in.

  26. kevinashipley says:

    Does preregistering VML protect against a specific exploit or the entire vulnerability?

  27. andyr354 says:

    Thanks! Put them in a batch and pushed it out to all my systems with PDQ Deploy.

  28. Steve says:

    Knowing that Word also probably renders VML, my bet was that it would work. As a test, I saved the HTML and opened it in Word. Well, it does render the VML. It even works in Office 2010 after un-registering the .dll above. When looking at the html in Wordpad, I think it contains the VML in the scripting of the page. The HTML renderer in Word can render VML. My bet is that the HTML renderer in Outlook will also render this. Just because they render the VML, does not mean that has the same vulnerability,

  29. e-Van says:

    Thanks Steve for this crystal clear article. If only all MS bulletins were that clear !

  30. Jason says:

    I’ve run both commands on my win 7 64 bit and both the Mona Lisa and Office plan keep rendering so fix not working for me. :/

  31. Jason says:

    Nevermind. Seems to have worked now. I did close and re-open the browser before testing but I did it again and now things are NOT rendering so seems to be working. This is with IE 10.

  32. Pingback: Internet Explorer Security Warning

  33. Randy Tyler says:

    I could not get vgx.dll to unregister using Steve’s paths above on a Win7 x64 machine. However, I was able to by opening a Command Prompt at the “VGX” dir in both paths (“Program Files” and “Program Files (x86)” and confirmed such via a registry search.

  34. Chad C says:

    Steve, thanks this is really useful. One thing I’d like to confirm with others on here, I’ve put these commands in a batch script, and when run from a non-elevated prompt or from a GPO Startup script folder, the commands run ‘successfully.’ That is, no errors on the GPO side, and I actually get the “DllunregisterServer . . . . succeeded” message from the manual execution. However, if I check the vmlmaker site in IE, I can still see the office plan in compatibility mode.
    However, if I run the script manually with elevated privileges, I cannot load the office plan in IE – an indicator that the DLL is truly unregistered, I think. My concern is, for those of us who load this script in a GPO’s Startup script policy, it’s not actually protecting our PCs – can anyone else confirm this behavior?

  35. Randy Tyler says:

    NB NOTE: that the vulnerability does not reside in VGX.DLL. This library is used in current exploits, so unregistering it will prevent those specific exploits from working, rather than blocking access to the vulnerability. See CERT’s site (Homeland Security) at: http://www.kb.cert.org/vuls/id/222929

  36. Randy Tyler says:

    See Microsoft’s Security Advisory 2963983 for suggested actions (including applying workarounds, such as: Deploying the Enhanced Mitigation Experience Toolkit 4.1 or 4.0; On x64-based Systems, Enable Enhanced Protected Mode for Internet Explorer 10; or Enable Enhanced Protected Mode and Enable 64-bit Processes for Enhanced Protected Mode for Internet Explorer 11).

    https://technet.microsoft.com/en-US/library/security/2963983

  37. Randy Tyler says:

    The full version of the Microsoft Security Bulletin Summary for May 1, 2014 can be found at

    https://technet.microsoft.com/library/security/ms14-may.aspx.

  38. CSorg says:

    Offical Patch available https://technet.microsoft.com/library/security/ms14-021
    although its the same workarround, so not really a patch in my opinion.
    You are the best Steve!

  39. Pingback: PCUG Meeting Notes For 5/1/14 | Portage Computer Users Group

  40. Danny Schwippert says:

    Hi Steve,
    First of all thanks for the great infornation you provide!
    I have a couple question’s.
    1. Wouldn’t an upgrade of adobe flash fix this issue?
    2. In case someone actually connects to a website without your workarround or the today released hotfix. The worst that could happen is that the attacker gains the same level of rights as the logged on user. Now we all know not to have local admin rights on the account we use to logon to our machines. What do you think is the worst thing that would happen if the attacker gains user permission on the target computer?

    Cheers
    Danny

  41. Two of my Windows 7 PCs just received a biggish patch KB2964358. Security update for IE11.
    I think it must be the fix for this.

  42. MattN says:

    In case someone else is having problems registering the DLL after un-registering it, I’ve found that adding the following registry keys restores VML rendering for IE9 on a Windows 7 64-bit system. If you’re running another OS or browser version, I suspect you will need to modify these values as needed.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]
    “IE”=”9.0000″
    “WindowsEdition”=”4″

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector]
    “IE”=”9.0000″
    “WindowsEdition”=”4″

    On my system, unregistering VGX.dll will delete those values but does not restore them when registering.

    • Kal Huebscher says:

      Why would anyone want to re-register vml?

      • MattN says:

        My company found out that one of our client’s business applications required it. We had over 500 users affected by it so we had to roll it back for them to be able to work. The affected department is now looking to upgrade their software.

  43. Pingback: A quick mitigation for Internet Explorer’s new 0-day vulnerability – heartbleed bug fix | tyrannywatchuk

  44. Blue says:

    On a Vista 32 bit I got the cmd message that this was disabled but I’m still seeing

    “A VML capable browser is required to display this image.
    Please see http://www.VMLmaker.com technical support for details.”

    after adding vmlmaker.com to Page > Compatibilty View settings.

  45. Thanks a bunch for sharing tɦis with alll follks
    ʏοu really know whɑt yoս are talking aboսt! Bookmarked.
    Kindly additionally consult ԝith my site =).
    Wе could havе a hyperlink trade contract amߋng us

  46. I am extremely impressed together with your writing abilities as smartly as with the layout on your blog.
    Is that this a paid topic or did you modify it yourself?
    Anyway stay up the excellent high quality
    writing, it is uncommon to look a great weblog like this one nowadays..

  47. slotomania says:

    Howdy! I could have sworn I’ve been to this website before but after going through
    some of the articles I realized it’s new to me. Anyhow,
    I’m definitely happy I discovered it and I’ll be bookmarking it and checking back regularly!

  48. Android based mobiles offers you best in terms of power and efficiency,
    even more than laptops and small notebooks. With the trendy computer monitors and screens being of such high quality and definition, a fantastic 3D desktop wallpaper will bounce out of
    the display screen and bring joy into the onlooker. I searched the CNET download section and found several amazing
    screensavers from 3Planesoft.

  49. law attorney says:

    Once your primary queries are answered you can give them a call and
    fix an appointment for a consultation with an attorney.
    Negligence can be a very loosely defined word in the legal world, but generally includes injury when a company or person fails to
    operate in a safe manner and therefore causes injury or damage.

    However, contrary to popular belief, wills do not avoid probate.

  50. Kevin says:

    It was an old friend who I hadn’t seen for a while, and I could just tell that something was wrong.
    It is always of the utmost importance in business to
    treat each and every customer as if they are the
    most important. I didn’t push any bad emotions
    down into the dungeon.

  51. Greetings from Ohio! I’m bored to death at work so I decided to check out
    your site on my iphone during lunch break. I enjoy the info you provide here and can’t wait to take a look when I
    get home. I’m shocked at how quick your blog loaded on my phone ..
    I’m not even using WIFI, just 3G .. Anyways, fantastic site!

  52. Very good information. Lucky me I discovered your website by
    chance (stumbleupon). I have saved as a favorite for later!

  53. Hello mates, its impressive article concerning cultureand fully defined,
    keep it up all the time.

  54. We absolutely love your blog and find most of your post’s to be
    just what I’m looking for. Would you offer guest writers to
    write content for yourself? I wouldn’t mind publishing a
    post or elaborating on many of the subjects you write related to here.
    Again, awesome blog!

  55. She has a charm that is slightly reminiscent of the childhood favourite Rosie and Jim’s Ragdoll,
    with a modernized interior to suit the 21st century traveller.

    I have been using products from Newfields
    Baits for a while and their green lipped mussel extract is simply amazing.
    But have you ever thought about living in your boat full time.

  56. Best Post about SAP Courses and the Training. Helps the perusers to improve information on Current SAP Technologies.

  57. sapgrconlinetraininginhyd says:

    I feel it is right place to get info on SAP GRC.I will get detailed information in this blog. This blog is suitable to learn sap people. please share this type of blogs. Anybody interest to learn please click this linkSAP GRC ONLINE TRAINING.

  58. sapgrconlinetraininginhyd says:

    The data you gave is exceptionally helpful to get a skillsets. On the off chance that you have any insights about SAP GRC ONLINE TRAINING please click on above link

  59. Really when someone doesn’t know afterward its up to other viewers that
    they will assist, so here it takes place.

  60. I’m impressed, I must say. Seldom do I come across a blog that’s equally educative and
    amusing, and without a doubt, you’ve hit the nail on the head.

    The issue is something that not enough men and women are speaking intelligently about.
    I’m very happy I found this in my search for something regarding this.

  61. Hey I am so grateful I found your blog, I really found you
    by mistake, while I was researching on Askjeeve
    for something else, Nonetheless I am here now and would
    just like to say thanks a lot for a tremendous post and a all round exciting blog (I also love the theme/design), I don’t have time
    to browse it all at the moment but I have bookmarked it and also added your RSS feeds, so when I have time I will be
    back to read a great deal more, Please do keep up the awesome job.

  62. Hello, i believe that i noticed you visited my blog thus i came to
    go back the choose?.I’m trying to to find issues to
    enhance my website!I guess its good enough to make use of a few of your ideas!!

  63. Howdy this is kinda of off topic but I was wanting to know if
    blogs use WYSIWYG editors or if you have tto manually code with HTML.
    I’m starting a blog soon buut have no coding experience so I wanted tto
    get guidance from someone with experience. Any help would be greatly appreciated!

  64. Fantastic post however I was wanting to know if you could write a litte more on this subject?
    I’d be very grateful if you could elaborate a little bit more.

    Cheers!

  65. 2 ANALYSIS ON THE CONCENTRATION BY AREA IN TERMS OF THE MARKET SHARE 26.
    From this airport, guests are able to rent a car or, as a more inexpensive option, take a shuttle from
    the airport to the north entrance. Once father is outside, he should find
    out how warm it is in Phoenix or in which actually he lives.

  66. Leonel says:

    great post, very informative. I wonder why the other specialists of this sector
    don’t notice this. You should continue your writing.
    I am sure, you’ve a huge readers’ base already!

  67. Découvrez notre service pour vos envois groupés de MMS.
    Réalisé pou les artisans, notre site vous permet despuis internet de rédiger vos MMS à destination de
    tous vos contacts. Réalisée pour expédier de très nombreux envois, notre API MMS est très performant pour effectuer vos envois en masse.

    Armée d’une innovante interface de gestion, notre solution est la référence des
    API pour l’envoi de MMS et de programmation des campagnes.

    Vous pouvez mettre au point vite fait vos campagnes à vers des dizaines de milliers de destinataires.

  68. Ava says:

    We are extremely pleased to inform you that we
    have obtained the perfect lookup equipment, to create searching
    individuals according to pursuits, geographical location easy for you!
    You can also lookup singles according to life style gender, preferences,
    age and religion ethnic background etc.

  69. Great weblog right here! Also your webb site loads up fast!

    What host are you the usage of? Can I am getting your affiliate hyperlijk to your host?
    I want my site loaded up as fast as yours lol

  70. I’m a programmer and I’ve just come up with a brand-new social
    network web site. I was trying to find ‘beta’ test candidates to
    surf and give it a go. Are you looking to opt in? We’ll compensate you.

  71. After a few minutes, once the hack is complete, disconnect the
    gadget, and you are good to go. We’re mindful of a number of problems with the most up-to-date Jetpack Joyride update and a
    repair is in the performs. Age of Zombies for PS Vita
    has just arrived in North America!

  72. Joe Smith says:

    Additional: the VML dll, file name vgx.dll is protected by windows file protection, a feature added in Windows 2000 to protect the overwriting of protected windows system files. Therefore you cannot remove or rename the file without the operating system replacing this file momentarily. It may be possible to change this behavior via a registry tweak.

    Windows File Protection

    http://support.microsoft.com/kb/222193

  73. Joe Smith says:

    on my windows xp machines after unregistering the dll I also successfully removed the vgx.dll file from the system by booting into safe mode, run a command prompt (cmd.exe) and type the following:

    c:
    cd\
    del /s vgx.dll

    I verified after a reboot that the file was no longer on the system.

  74. Joe Smith says:

    Also, be SURE on Windows 7 machines to run the commands as an Administrator because if you don’t it will appear to unregister the dll when it really isn’t … the RegDLLView program will verify this as well as restarting Internet Explorer and going to the web page. (in the compatibility mode).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s