Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

zero day internet explorer mitigation

Posted on 2014-04-29
5
Medium Priority
?
1,138 Views
Last Modified: 2014-05-01
I have added the code in the bottom of the link below to group policy to run as a startup script for all my computers.

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day

The script should unregister vgx.dll and mitigate the zero day exploit. However, it appears to work fine when I run it on my computer but I am unable to tell if it successfully unregistered the DLL via group policy.

How can I tell if the DLL was successfully unregistered when the group policy applied and the batch file ran?

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 70

Assisted Solution

by:Merete
Merete earned 400 total points
ID: 40031701
I cant say, trust!
Did you also use this
Symantec has also provided a batch file that you can download to automate the command-line and you can get it here: Zero-Day Internet Explorer Vulnerability Let Loose in the Wild
http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+WinBytes+(WIN%3ENews%3ENews)

Justin there is also flash virus getting around as I have had to fix 4 systems here last week
with a message your flash may need updating
have you seen any popups like this if you have it is a virus.
Once the message appears you can't open the web page fully until you close it.
In any browser by the way.
Use this guide to remove it. Do a scan of your system using Eset online scanner.
Remove “WARNING! Your Flash Player may be out of date” virus
http://malwaretips.com/blogs/warning-your-flash-player-may-be-out-of-date-virus/
I also had to replace our router before finally get rid of it.
We all have windows 7 here use Chrome.
Thought you might appreciate that information.
Regards Merete
0
 
LVL 65

Accepted Solution

by:
btan earned 1200 total points
ID: 40031738
bat file surfaced the success or failure msg but pls refer to the article below as for 64bit machine the bat file may not be sufficient

http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/

32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt.  Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.

You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: http://www.vmlmaker.com/gallery/visio/office_layout.htm. The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the vmlmaker.com domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.

Via GPO to verify may not 100% or straightforward to ascertain it..regsvr32 has error codes as in http://support.microsoft.com/kb/249873/en-us. but best to asign someone to verify that is done - trust but verify...
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 400 total points
ID: 40032067
Probably the easiest way to verify if VGX.DLL has been Unregistered is to ascertain what the Unregister command actually removes from the registry, and check for the removed registry value(s) or key(s) after unregistering VGX.DLL.

- Export the registry to a "vgx_before.reg" file, then run the regsvr32 -u command.
- Export the registry to an "vgx_after.reg" file.
- Compare the two to ascertain the differences using a program that compares the two files side-by-side with colour-coded differences.

There is a freeware program named "ExamDiff Visual File Comparison Tool" by PrestoSoft which works OK, but I use a better retail tool named "Beyond Compare" by Scooter Software for this type of thing.  There is a "Pro" Retail version of ExamDiff that is probably more powerful than the free version or trial version of the pro, but I have only ever used the free one.
The free version of ExamDiff was last updated on October 1, 2011 as Version 1.9:
http://www.prestosoft.com/edp_examdiff.asp
There are no doubt other programs that do the same thing.

The comparison should find a couple of registry keys that will have been removed after Unregistering the DLL, and you could use the REG QUERY command to test for the existence of one or more keys or values after deploying your mitigation.

On Windows XP SP3 with IE8 and all current updates I have:
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version 8.00.6001.23580 (longhorn_ie8_ldr.140222-1715)
The following registry keys are removed when I run the regsvr32 - u command:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]

Here are the contents of these keys prior to Unregistering VGX.DLL from my system, in case you wanted to test for a particular Value rather than Key, but be aware that different versions of VGX.DLL may create additional or differently named keys on different operating systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32]
@=hex(2):25,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,00,50,00,72,00,6f,00,67,00,72,\
  00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,4d,00,69,00,63,00,\
  72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,68,00,61,00,72,00,65,00,64,\
  00,5c,00,56,00,47,00,58,00,5c,00,76,00,67,00,78,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\ProgID]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\VersionIndependentProgID]
@="PeerDraw.PeerDraw"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw\CurVer]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1\CLSID]
@="{10072CEC-8CC1-11D1-986E-00A0C955B42E}"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]
"IE"="8.0000"
"VML"="1.0"
"Skype"="6.14.104"

Open in new window

I hope this helps.
0
 
LVL 65

Expert Comment

by:btan
ID: 40032127
Also best to test in machine 32 and 64 bits such that if this vgx workaround is applied, as potentially software (if any) that redistributes vgx.dll may fail to install or even run. Hence if so from the error experience or from event log on more appl error, this workaround likely need to (or must) be reverted to the previous configuration for vgx.dll.

https://technet.microsoft.com/library/security/2963983#ID0EEEAC
0
 
LVL 38

Expert Comment

by:BillDL
ID: 40034055
Thank you Justin
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question