How To Protect Yourself From The Vector Markup Language (vml) Exploit

How To Protect Yourself From The Vector Markup Language (vml) Exploit

Update: As of today the VML patch has been released. Do not forget to get it from http://www.windowsupdate.com or install it after it has been downloaded if you use Automatic Updates.
Table of Contents

1. What is the VML Exploit
2. How to disable VML
3. How to enable VML
4. Conclusion

What is the VML Exploit
A zero-day exploit was discovered by Sunbelt Software in the Microsoft Windows implementation of Vector Markup Language (VML). According to Microsoft, VML is defined as:

Vector Markup Language (VML) is an XML-based exchange, editing, and delivery format for high-quality vector graphics on the Web that meets the needs of both productivity users and graphic design professionals. XML is a simple, flexible, and open text-based language that complements HTML.

This bug allows malicious web sites to install software without your permission or even knowledge. As of this writing, there is at least one site that is exploiting this bug to install approximately 47 different pieces of malware on your computer. The official patch for this bug is expected to be released as part of Microsoft's October security updates on October 10, 2006. Until then you should use the unofficial solution found below. The Windows versions affected by this bug are:

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition
• Microsoft Windows Server 2003 x64 Edition

Further references about this security bug can be found at the following resources:

Sunbelt Software Security Notice Microsoft Security Advisory (925568)
Cert Vulnerability Note VU#416092
Internet Security Systems Protection Alert September 19, 2006
Sans Handler's Diary

How to disable VML To disable VML from being called by Internet Explorer, and thus protecting you from this exploit, you can unregister the vgx.dll associated with it. To unregister the DLL you can download the batch file, unregvml.bat, below and save it to your desktop. Then simply double-click on the batch file. You will receive a prompt that the vgx.dll has been unregistered. All you need to do is press the OK button at this prompt to finish the unregistering of the DLL. Unregvml.bat Download Link If you would like to manually unregister the file you can follow these steps:

1. Click on the Start button and then select the Run menu option as shown in Figure 1 below.
   
   
   Figure 1. Select the Run menu option
   
2. In the Run windows type regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll in the Open: field and press the OK button. This is shown in Figure 2 below.
   
   
   Figure 2: Entering the command.  
3. A dialog box similar to Figure 3 below will appear showing that the vgx.dll file was successfully unregistered. Simply press the OK button to close this window.
   
   
   Figure 3: The DLL was successfully unregistered.
   
   

Your computer should now be protected from the VML exploit.
How to enable VML After you unregister the DLL there are two times that you may want to register it again. The first is when the official patch is released by Microsoft you will want to register the vgx.dll again and then install the new patch. The other time is if you visit sites that utilize the VML technology and need this DLL registered in order to properly view the site. To register the DLL again you can download the batch file, regvml.bat, below and save it to your desktop. Then simply double-click on the batch file. You will receive a prompt that the vgx.dll has been registered. All you need to do is press the OK button at this prompt to finish. Regvml.bat Download Link If you would like to register the DLL manually you can follow the steps below:

1. Click on the Start button and then select the Run menu option as shown in Figure 1 below.
   
   
   Figure 1. Select the Run menu option
   
2. In the Run windows type regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll in the Open: field and press the OK button. This is shown in Figure 2 below.
   
   
   Figure 2: Entering the command.  
3. A dialog box similar to Figure 3 below will appear showing that the vgx.dll file was successfully unregistered.
   
   
   Figure 3: The DLL was successfully registered.
   
   

Your computer should now have VML functionality again.   Conclusion

I would recommend that everyone who reads this guide disable the vgx.dll until an official patch is released by Microsoft. This will protect you from this exploit and prevent malicious sites utilizing it from downloading malware onto your computer. As most sites do not utilize VML technology you should not have any adverse affects from unregistering the DLL. A big thanks to Sunbelt Software for releasing information on this exploit.

Update:

As of today the VML patch has been released. Do not forget to get it from http://www.windowsupdate.com or install it after it has been downloaded if you use Automatic Updates.