Solved

zero day internet explorer mitigation

Posted on 2014-04-29
5
1,001 Views
Last Modified: 2014-05-01
I have added the code in the bottom of the link below to group policy to run as a startup script for all my computers.

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day

The script should unregister vgx.dll and mitigate the zero day exploit. However, it appears to work fine when I run it on my computer but I am unable to tell if it successfully unregistered the DLL via group policy.

How can I tell if the DLL was successfully unregistered when the group policy applied and the batch file ran?

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
  • 2
  • 2
5 Comments
 
LVL 70

Assisted Solution

by:Merete
Merete earned 100 total points
ID: 40031701
I cant say, trust!
Did you also use this
Symantec has also provided a batch file that you can download to automate the command-line and you can get it here: Zero-Day Internet Explorer Vulnerability Let Loose in the Wild
http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+WinBytes+(WIN%3ENews%3ENews)

Justin there is also flash virus getting around as I have had to fix 4 systems here last week
with a message your flash may need updating
have you seen any popups like this if you have it is a virus.
Once the message appears you can't open the web page fully until you close it.
In any browser by the way.
Use this guide to remove it. Do a scan of your system using Eset online scanner.
Remove “WARNING! Your Flash Player may be out of date” virus
http://malwaretips.com/blogs/warning-your-flash-player-may-be-out-of-date-virus/
I also had to replace our router before finally get rid of it.
We all have windows 7 here use Chrome.
Thought you might appreciate that information.
Regards Merete
0
 
LVL 62

Accepted Solution

by:
btan earned 300 total points
ID: 40031738
bat file surfaced the success or failure msg but pls refer to the article below as for 64bit machine the bat file may not be sufficient

http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/

32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt.  Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.

You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: http://www.vmlmaker.com/gallery/visio/office_layout.htm. The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the vmlmaker.com domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.

Via GPO to verify may not 100% or straightforward to ascertain it..regsvr32 has error codes as in http://support.microsoft.com/kb/249873/en-us. but best to asign someone to verify that is done - trust but verify...
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 100 total points
ID: 40032067
Probably the easiest way to verify if VGX.DLL has been Unregistered is to ascertain what the Unregister command actually removes from the registry, and check for the removed registry value(s) or key(s) after unregistering VGX.DLL.

- Export the registry to a "vgx_before.reg" file, then run the regsvr32 -u command.
- Export the registry to an "vgx_after.reg" file.
- Compare the two to ascertain the differences using a program that compares the two files side-by-side with colour-coded differences.

There is a freeware program named "ExamDiff Visual File Comparison Tool" by PrestoSoft which works OK, but I use a better retail tool named "Beyond Compare" by Scooter Software for this type of thing.  There is a "Pro" Retail version of ExamDiff that is probably more powerful than the free version or trial version of the pro, but I have only ever used the free one.
The free version of ExamDiff was last updated on October 1, 2011 as Version 1.9:
http://www.prestosoft.com/edp_examdiff.asp
There are no doubt other programs that do the same thing.

The comparison should find a couple of registry keys that will have been removed after Unregistering the DLL, and you could use the REG QUERY command to test for the existence of one or more keys or values after deploying your mitigation.

On Windows XP SP3 with IE8 and all current updates I have:
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version 8.00.6001.23580 (longhorn_ie8_ldr.140222-1715)
The following registry keys are removed when I run the regsvr32 - u command:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]

Here are the contents of these keys prior to Unregistering VGX.DLL from my system, in case you wanted to test for a particular Value rather than Key, but be aware that different versions of VGX.DLL may create additional or differently named keys on different operating systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32]
@=hex(2):25,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,00,50,00,72,00,6f,00,67,00,72,\
  00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,4d,00,69,00,63,00,\
  72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,68,00,61,00,72,00,65,00,64,\
  00,5c,00,56,00,47,00,58,00,5c,00,76,00,67,00,78,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\ProgID]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\VersionIndependentProgID]
@="PeerDraw.PeerDraw"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw\CurVer]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1\CLSID]
@="{10072CEC-8CC1-11D1-986E-00A0C955B42E}"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]
"IE"="8.0000"
"VML"="1.0"
"Skype"="6.14.104"

Open in new window

I hope this helps.
0
 
LVL 62

Expert Comment

by:btan
ID: 40032127
Also best to test in machine 32 and 64 bits such that if this vgx workaround is applied, as potentially software (if any) that redistributes vgx.dll may fail to install or even run. Hence if so from the error experience or from event log on more appl error, this workaround likely need to (or must) be reverted to the previous configuration for vgx.dll.

https://technet.microsoft.com/library/security/2963983#ID0EEEAC
0
 
LVL 38

Expert Comment

by:BillDL
ID: 40034055
Thank you Justin
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question