How To Protect Yourself From The Vector Markup Language (vml) Exploit

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Spyware and Malware Removal Guides and Reading Room

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

How To Protect Yourself From The Vector Markup Language (vml) Exploit

Options

Grinler View Member Profile	Sep 21 2006, 03:59 PM Post #1
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	How To Protect Yourself From The Vector Markup Language (vml) Exploit Update: As of today the VML patch has been released. Do not forget to get it from http://www.windowsupdate.com or install it after it has been downloaded if you use Automatic Updates. Table of Contents What is the VML Exploit How to disable VML How to enable VML Conclusion What is the VML Exploit A zero-day exploit was discovered by Sunbelt Software in the Microsoft Windows implementation of Vector Markup Language (VML). According to Microsoft, VML is defined as: Vector Markup Language (VML) is an XML-based exchange, editing, and delivery format for high-quality vector graphics on the Web that meets the needs of both productivity users and graphic design professionals. XML is a simple, flexible, and open text-based language that complements HTML. This bug allows malicious web sites to install software without your permission or even knowledge. As of this writing, there is at least one site that is exploiting this bug to install approximately 47 different pieces of malware on your computer. The official patch for this bug is expected to be released as part of Microsoft's October security updates on October 10, 2006. Until then you should use the unofficial solution found below. The Windows versions affected by this bug are: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 and Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition Microsoft Windows Server 2003 x64 Edition Further references about this security bug can be found at the following resources: Sunbelt Software Security Notice Microsoft Security Advisory (925568) Cert Vulnerability Note VU#416092 Internet Security Systems Protection alert September 19, 2006 Sans Handler's Diary How to disable VML To disable VML from being called by Internet Explorer, and thus protecting you from this exploit, you can unregister the vgx.dll associated with it. To unregister the DLL you can download the batch file, unregvml.bat, below and save it to your desktop. Then simply double-click on the batch file. You will receive a prompt that the vgx.dll has been unregistered. All you need to do is press the OK button at this prompt to finish the unregistering of the DLL. Unregvml.bat Download Link If you would like to manually unregister the file you can follow these steps: Click on the Start button and then select the Run menu option as shown in Figure 1 below. Figure 1. Select the Run menu option In the Run windows type regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll in the Open: field and press the OK button. This is shown in Figure 2 below. Figure 2: Entering the command. A dialog box similar to Figure 3 below will appear showing that the vgx.dll file was successfully unregistered. Simply press the OK button to close this window. Figure 3: The DLL was successfully unregistered. Your computer should now be protected from the VML exploit. How to enable VML After you unregister the DLL there are two times that you may want to register it again. The first is when the official patch is released by Microsoft you will want to register the vgx.dll again and then install the new patch. The other time is if you visit sites that utilize the VML technology and need this DLL registered in order to properly view the site. To register the DLL again you can download the batch file, regvml.bat, below and save it to your desktop. Then simply double-click on the batch file. You will receive a prompt that the vgx.dll has been registered. All you need to do is press the OK button at this prompt to finish. Regvml.bat Download Link If you would like to register the DLL manually you can follow the steps below: Click on the Start button and then select the Run menu option as shown in Figure 1 below. Figure 1. Select the Run menu option In the Run windows type regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll in the Open: field and press the OK button. This is shown in Figure 2 below. Figure 2: Entering the command. A dialog box similar to Figure 3 below will appear showing that the vgx.dll file was successfully unregistered. Figure 3: The DLL was successfully registered. Your computer should now have VML functionality again. Conclusion I would recommend that everyone who reads this guide disable the vgx.dll until an official patch is released by Microsoft. This will protect you from this exploit and prevent malicious sites utilizing it from downloading malware onto your computer. As most sites do not utilize VML technology you should not have any adverse affects from unregistering the DLL. A big thanks to Sunbelt Software for releasing information on this exploit. -------------------- Lawrence Become a BleepingComputer fan: Facebook

Grinler View Member Profile	Sep 26 2006, 03:34 PM Post #2
Bleep Bleep! Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3	Update: As of today the VML patch has been released. Do not forget to get it from http://www.windowsupdate.com or install it after it has been downloaded if you use Automatic Updates. -------------------- Lawrence Become a BleepingComputer fan: Facebook

« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 4th July 2009 - 01:39 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive