Microsoft released a security advisory on a vulnerability in Internet Explorer that is being leveraged in limited targeted attacks. Currently the vulnerability only causes crashing in Internet Explorer on Windows XP but the exploit does exist in all versions of Windows. Microsoft states that versions of the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and above can mitigate this vulnerability in Internet Explorer. The toolkit is available for Windows XP users as well. If using EMET is not an option, users can consider mitigating the issue by unregistering a DLL file named VGX.DLL. This file provides support for VML (Vector Markup Language) in the browser. This is not required by the majority of users. However, by unregistering the library, any application that uses the DLL may no longer function properly. Also, some applications installed on the system may potentially re-register the DLL. VGX.DLL is used in conjunction with an Adobe Flash exploit to cause memory corruption and allow an attacker to run code remotely on the compromised computer. The vulnerability in IE is specific to the browser’s handling of the Vector Markup Language and vector graphics rendering. Microsoft advised as a temporary mitigation that admins disable the VGX.DLL; the library is crucial for proper graphics rendering and is used by IE as well as Office applications.
- In-Scope Items: Internet Explorer 6-11 in all versions of Windows
The following recommendations can mitigate this vulnerability:
- Run Windows update. Microsoft has released the patch for this exploit.
- Deploy the Enhanced Mitigation Experience Toolkit (EMET) 4.1
- Block access to VGX.DLL
- Enable Enhanced Protected Mode
- Use built-in Internet Explorer configuration options to disable active scripting.
The following one line of instruction can be executed to make the system immune from attacks attempting to exploit the vulnerability. This line of instruction can be used for all affected operating systems:
- “%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”
Symantec has also provided a bat file that will first check to see if the system is at risk and then with another flag unregister the DLL. This batch file is attached as a text file to this email that needs to get renamed and executed from command line.
Recommendations and Additional Considerations:
The following needs to be considered if you decide to unregister this DLL or taking any recommended actions mentioned above:
- This does not guarantee that this DLL is not going to get reregistered and reactivated again
- Functionality of applications relying on this vgx.dll might be affected including Adobe Flash and MS Office Applications
- As always, we recommend staying up-to-date with the latest version of Internet Explorer for improved security features such as Enhanced Protected Mode, better backward compatibility through Enterprise Mode, increased performance, and support for the modern web standards that run today’s websites and services.
- Last recommendation, use alternative browsers such as Firefox and Chrome instead of IE, if your applications are compatible with these browsers.
Clarifying the IE Enhanced Protected Mode workaround:
Here is Internet Explorer Enhanced Protected Mode workaround. Enhanced Protected Mode will help protect 64-bit Internet Explorer users from this attack. There is a difference between Internet Explorer 10 and Internet Explorer 11 that led to some confusion. Internet Explorer 10 has one setting to enable and Internet Explorer 11 has two settings to enable. The 64-bit aspect of Internet Explorer is a key element of this workaround as the heap spray attack is not effective in 64-bit address space, leading to a failed exploit. Enhanced Protected Mode alone on 32-bit Internet Explorer 11 is not effective in blocking the attack. The screenshots below illustrate the Internet Explorer 10 versus Internet Explorer 11 “checkbox” differences: