The Internet industry press has been milking the news of the end of Windows XP support for much more than it’s worth. Now, over the weekend, we get news of another, in a continuing series of, (0-day) flaws in Internet Explorer. (Oh My God! It’s the XPocalypse!!)
Or maybe not quite yet.
May 1st, 2014: Microsoft has decided to patch everyone’s
versions of Internet Explorer v6 through v11… even on XP.
So nothing changes yet. Stay tuned. (And update your IE’s!)
Web browsers are growing incredibly complex. It’s pretty clear that they will be our next-generation operating platforms. And as the last annual “Pwn2Own” contest showed, none of them can currently withstand the focused attention of skilled and determined attackers, especially when some prize money is dangled on the other side of the finish line.
To immediately protect any use of Internet Explorer – yes, even on creaky old WinXP (the XPocalypse has been delayed): You must first open a command prompt window with administrative privileges. This is done by right-clicking on the Command Prompt icon in the start menu and selecting “Run As Administrator.” Commands issued within this window will have the privilege required to make system level changes.
32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"
These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt. Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.
You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: http://www.vmlmaker.com/gallery/visio/office_layout.htm. The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the vmlmaker.com domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.
You can confidently leave things this way.. since you are never going to need VML and, as this circus shows, we’re all a lot better off without it!
(My most recent work: An Evaluation of the Effectiveness of Chrome’s CRLSets.)