Guarding Against the Newest IE Exploit

From COMP: Interesting washingtonpost.com bloggers article here; which provides a very simple and easy to execute 3-Step “Workaround” Fix for the very latest Internet Explorer vulnerability exploit; which can allow the inadvertent installation of malicious software when users merely browse certain nasty Web sites…

=====================================
Guarding Against the New IE Exploit - Security Fix
=====================================
Brian Krebs on Computer Security | September 21, 2006; 2:29 PM ET​

Earlier this week Security Fix wrote about a newly discovered vulnerability in Microsoft's Internet Explorer Web browser that bad guys were exploiting to install malicious software when users merely browsed certain nasty Web sites.

That post advised users who wanted to continue using IE to jack up the Javascript security settings on the browser, but as the most recent attacks with this exploit have shown, the bad guys don't need to use Javascript to execute their attacks with this vulnerability.

Microsoft has since published an advisory with a workaround that seems to be pretty effective at stopping these attacks, pending the release of a patch from Microsoft (the company says it may not arrive until Oct. 10). The temporary fix involves "unregistering" the vulnerable Windows component, and is pretty straightforward step that should help mitigate this threat.

The problem is present in all versions of IE 5.0 and higher, according to US-CERT. I have not seen anyone test this exploit against IE 7 yet, but I've not heard of any evidence that the later version is vulnerable.

The following workaround works on Windows XP Service Pack 1 and 2, Windows Server 2003 and Windows Server 2003 Service Pack 1:

1) Open up a command prompt: Click "Start," then "Run," and a text box should pop up
2) Cut and paste the following text into that box:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll
3) Then hit enter or click "Ok." You should then receive a pop-up window stating that the vulnerable component has been unregistered

Even if you don't use IE as your default browser, disabling this Windows component may prove essential. One need only look back at the security headaches Windows users had earlier this year with the Windows meta file (WMF) vulnerabilities, when Microsoft was forced to issue a patch outside of its normal monthly patching process in part due to the creation of unofficial patches from third-party security vendors.

With that problem, it was sufficient for Windows users merely to have the vulnerable WMF component active on a system for it to be compromised by a variety of different means, whether through a third-party e-mail client or other software that might invoke the flawed component.

Incidentally, anyone willing to take bets on how long it will be until we start to see a repeat of third-party patches to fix this problem?

=========================================================================​

Source of the Above Information: To view this article on the web simply Google the exact search phrase: Guarding Against the New IE Exploit

 

See this thread on wilderssecurity by Nick

http://www.wilderssecurity.com/archive/index.php/t-48978.html

 

>> And for windows 2000 sp4? TimW <<

I just posted the "Is this workaround 'doable' with earlier Windows versions?" question at that "Brian Krebs on Computer Security" washingtonpost.com/securityfix/ blog and I'll get back to you on this; as soon as I recieve any reply.

Good Luck!

 

To Halo and anyone else wondering here: Looks like the latest news is that following fix applies for ALL versions of windows that have any versions of IE 5.0 and higher installed.

Listed below is the relevant part of that Security Fix Blog (listing the actual "workaround" steps) involved regarding "Microsoft's Fix" for the most recently discovered IE Flaw

Note: this is only a partial posting from washingtonpost.com/securityfix/

Brian Krebs on Computer Security:
Posted at 02:15 PM ET, 09/22/2006
Unofficial Patch Released for IE Flaw

Microsoft said it expects to ship an update to fix the problem on Oct. 10. In the meantime, the company is recommending a workaround to disable the IE flaw until a patch is ready.

"Experts contacted by Security Fix said Microsoft's suggested workaround appears sufficient to prevent the exploit from working.

To disable the flawed component in Windows, do the following:

1) Open up a command prompt: Click "Start," then "Run," and a text box should pop up.

2) Cut and paste the following text into that box: regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

3) Then hit enter or click "Ok." You should then receive a pop-up window stating that the vulnerable component has been unregistered.

When Microsoft releases a patch for this problem, it should re-enable the vulnerable component. But if it does not or you would like to turn it back on for any reason, simply follow step 1 above and then paste the following into the box that pops up:

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

===================================================================​

This blogger Brian Krebs is usually very reliable and since the newest entry states "To disable the flawed component in Windows, do the following..." I'm pretty sure that it means ALL versions of windows that have any versions of IE 5.0 and higher installed.​

To read the entire article go to: washingtonpost.com/securityfix/ and look for:

Brian Krebs on Computer Security:
Posted at 02:15 PM ET, 09/22/2006
Unofficial Patch Released for IE Flaw​

Good Luck!

 

Thanks COMPUABLE for the info

 

The command worked fine. Thanks.

Do we need to install the patch when it's released or is unregistering the component good enough?

 

I found these vunerabilities on my pc, how do I fix em?
Scanning Drive C:...
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL
Version: 11.0.8036.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2900.2180
C:\Program Files\HP\Digital Imaging\HP Print Screen\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3275.0
C:\Program Files\Microsoft Works\gdiplus.dll
Version: 5.1.3102.1360
C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSO.DLL
Version: 11.0.5606.0
C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.7969\MSO.DLL
Version: 11.0.6568.0
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\system32\dllcache\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\system32\gdiplus.dll
Version: 5.1.3102.2180
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180
Scan Complete.

 

Firefox Portable? I have it along with a few other portable apps on a flash drive which I take to work, as the computers at work are strongly admined and useage severely restricted. (I work for a NSW Emergency service)

You can import all your bookmarks etc and will run straight from the flash drive (no install) I love it.
I do of course realise that if your company uses IE on their machines , that people will use it and that's that. But anyway............

 

>> I found these vunerabilities on my pc, how do I fix em? Bladesofhalo <<

For the best possible answers to all that; you'd probably get WAY better (and far more) responses to such questions related to your computer's security by posting it in the MajorGeeks MALWARE section. Like the sign says: "All posts are answered by approved professionals."

Good Luck!

 

>> @Compuable ....so now I can do the 2000's ....well thanks alot ...gezzz, now I actually have something to do on Monday! (well, at least for 10 minutes). <<

Oh anytime... My pleasure really.

LOL TimW - 10 minutes? Gonna try it the hard way... with the monitor off, I see...

Good Luck!