Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have I Been Caught By The Vml Exploit?


  • Please log in to reply
8 replies to this topic

#1 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:10:07 PM

Posted 23 September 2006 - 12:29 PM

I asked a question in another thread( http://www.bleepingcomputer.com/forums/t/66164/grinler-how-do-we-know-if-bugged-in-vml/ ) if it was nessessary for someone using Firefox and ThunderBird to worry about the VML problem,as I am prepared to do what it takes to secure my computer against this exploit. Well,it might be too little too late.
Just for the heck of it,I checked the "message source" of an e-mail I recieved this morning.There are two strange entries in it that aren't in any other e-mails. They are both at the bottom of the e-mails and read; Behavior:url:(#default#vml).
So how does the VML present itself and should I be concerned about this?
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:07 PM

Posted 23 September 2006 - 01:35 PM

As long as you are not using IE browser or Outlook emailer, you are not vulnerable according to all that is known about this bug so far. IE7 is not affected either, supposedly.


http://www.techweb.com/wire/security/19300...LOSKH0CJUNN2JVN

An e-mailed attack is dangerous because it requires no out-of-the-ordinary user action, said Sites. "If you see a message in the Preview Pane or double click it, a well-crafted exploit will crash Outlook. You won't see any error message." As soon as that happens, the attacker can begin loading a user's PC with adware, spyware, and other malicious code, he added.

Sunbelt's testing has confirmed that Outlook 2003 is vulnerable -- in its most-patched SP2 version at least -- but that earlier editions of the e-mailer, including Outlook 2000 and Outlook 2002, are not at risk. Sunbelt has yet to test Outlook 2003 SP1.

To protect against e-mailed attackers, Outlook users should disable the Preview Pane (in Outlook 2003, select View|Reading Pane|Off) and render all mail in plain text (Tools|Options|Preferences|E-mail Options, then check the "Read all standard mail in plain text" box.).
--------------------------------------------------------------------------------


http://www.f-secure.com/weblog/archives/ar...6.html#00000975
To unregister the dll you should execute from Start, Run:
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

This differs slightly from Microsoft's recommendation - so as to include localized versions of Windows.

The vgx.dll component solely handles Vector Markup Language (VML). VML is a description format for browsers to draw vector graphics. Not too many websites use this format today - but rather display plain images. Also - it's only supported by Internet Explorer. Opera and Firefox implement Scalable Vector Graphics (SVG).

Use this link with IE to see an example of VML. If you have the dll registered, you'll see a clock. Once unregistered, you shouldn't see anything.

Microsoft's Outlook e-mail client is also potentially vulnerable for this exploit. But fortunately e-mail is treated as if from Restricted Sites by default, where Binary and Scripting Behaviors is disabled. By using a web-mail client and Internet Explorer you might still be vulnerable.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 TMacK

TMacK
  • Topic Starter

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:10:07 PM

Posted 23 September 2006 - 02:31 PM

Thanx for you reply buddy215.
Couldn't get my head around much past the first two sentences,but I guess that and the links were the important parts!
BTW,did do all the scans I could, and everything checked out okay...not that the VML would show up on any of the scans anyways.
Wonder what that little message was at the bottom of the e-mail? I know the sender uses Outlook & IE. Perhaps I should be bringing this to her attention.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#4 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:12:07 AM

Posted 23 September 2006 - 07:29 PM

Behavior:url:(#default#vml).

This is a common instruction for drawing letters and shapes, and by themselves are perfectly harmless.

Regards,
John

http://www.faqts.com/knowledge_base/view.phtml/aid/11013
Whereof one cannot speak, thereof one should be silent.

#5 TMacK

TMacK
  • Topic Starter

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:10:07 PM

Posted 23 September 2006 - 07:41 PM

Thanx for that information jgweed.
Seeing as I receive e-mails from OE/IE users,wonder if I should still follow the instructions in Grinlers thread about how to protect yourself from the VML...
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,717 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:07 AM

Posted 23 September 2006 - 09:26 PM

It certainly wouldn't do any harm, and it might do good.

Orange Blossom :thumbsup:

Just because I'm paranoid doesn't mean there's no-one out there.
-- a mangled quote from something I read.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 23 September 2006 - 09:49 PM

Better to be safe and follow the guide until a patch is released.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 TMacK

TMacK
  • Topic Starter

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:10:07 PM

Posted 24 September 2006 - 12:24 AM

Task complete.
Thanx for your replies,I couldn't agree with you more,better be safe than sorry. :thumbsup:
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 24 September 2006 - 06:34 AM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users