?
Solved

zero day internet explorer mitigation

Posted on 2014-04-29
5
Medium Priority
?
1,154 Views
Last Modified: 2014-05-01
I have added the code in the bottom of the link below to group policy to run as a startup script for all my computers.

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day

The script should unregister vgx.dll and mitigate the zero day exploit. However, it appears to work fine when I run it on my computer but I am unable to tell if it successfully unregistered the DLL via group policy.

How can I tell if the DLL was successfully unregistered when the group policy applied and the batch file ran?

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
  • 2
  • 2
5 Comments
 
LVL 70

Assisted Solution

by:Merete
Merete earned 400 total points
ID: 40031701
I cant say, trust!
Did you also use this
Symantec has also provided a batch file that you can download to automate the command-line and you can get it here: Zero-Day Internet Explorer Vulnerability Let Loose in the Wild
http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+WinBytes+(WIN%3ENews%3ENews)

Justin there is also flash virus getting around as I have had to fix 4 systems here last week
with a message your flash may need updating
have you seen any popups like this if you have it is a virus.
Once the message appears you can't open the web page fully until you close it.
In any browser by the way.
Use this guide to remove it. Do a scan of your system using Eset online scanner.
Remove “WARNING! Your Flash Player may be out of date” virus
http://malwaretips.com/blogs/warning-your-flash-player-may-be-out-of-date-virus/
I also had to replace our router before finally get rid of it.
We all have windows 7 here use Chrome.
Thought you might appreciate that information.
Regards Merete
0
 
LVL 65

Accepted Solution

by:
btan earned 1200 total points
ID: 40031738
bat file surfaced the success or failure msg but pls refer to the article below as for 64bit machine the bat file may not be sufficient

http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/

32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt.  Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.

You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: http://www.vmlmaker.com/gallery/visio/office_layout.htm. The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the vmlmaker.com domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.

Via GPO to verify may not 100% or straightforward to ascertain it..regsvr32 has error codes as in http://support.microsoft.com/kb/249873/en-us. but best to asign someone to verify that is done - trust but verify...
0
 
LVL 39

Assisted Solution

by:BillDL
BillDL earned 400 total points
ID: 40032067
Probably the easiest way to verify if VGX.DLL has been Unregistered is to ascertain what the Unregister command actually removes from the registry, and check for the removed registry value(s) or key(s) after unregistering VGX.DLL.

- Export the registry to a "vgx_before.reg" file, then run the regsvr32 -u command.
- Export the registry to an "vgx_after.reg" file.
- Compare the two to ascertain the differences using a program that compares the two files side-by-side with colour-coded differences.

There is a freeware program named "ExamDiff Visual File Comparison Tool" by PrestoSoft which works OK, but I use a better retail tool named "Beyond Compare" by Scooter Software for this type of thing.  There is a "Pro" Retail version of ExamDiff that is probably more powerful than the free version or trial version of the pro, but I have only ever used the free one.
The free version of ExamDiff was last updated on October 1, 2011 as Version 1.9:
http://www.prestosoft.com/edp_examdiff.asp
There are no doubt other programs that do the same thing.

The comparison should find a couple of registry keys that will have been removed after Unregistering the DLL, and you could use the REG QUERY command to test for the existence of one or more keys or values after deploying your mitigation.

On Windows XP SP3 with IE8 and all current updates I have:
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version 8.00.6001.23580 (longhorn_ie8_ldr.140222-1715)
The following registry keys are removed when I run the regsvr32 - u command:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]

Here are the contents of these keys prior to Unregistering VGX.DLL from my system, in case you wanted to test for a particular Value rather than Key, but be aware that different versions of VGX.DLL may create additional or differently named keys on different operating systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32]
@=hex(2):25,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,00,50,00,72,00,6f,00,67,00,72,\
  00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,4d,00,69,00,63,00,\
  72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,68,00,61,00,72,00,65,00,64,\
  00,5c,00,56,00,47,00,58,00,5c,00,76,00,67,00,78,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\ProgID]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\VersionIndependentProgID]
@="PeerDraw.PeerDraw"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw\CurVer]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1\CLSID]
@="{10072CEC-8CC1-11D1-986E-00A0C955B42E}"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]
"IE"="8.0000"
"VML"="1.0"
"Skype"="6.14.104"

Open in new window

I hope this helps.
0
 
LVL 65

Expert Comment

by:btan
ID: 40032127
Also best to test in machine 32 and 64 bits such that if this vgx workaround is applied, as potentially software (if any) that redistributes vgx.dll may fail to install or even run. Hence if so from the error experience or from event log on more appl error, this workaround likely need to (or must) be reverted to the previous configuration for vgx.dll.

https://technet.microsoft.com/library/security/2963983#ID0EEEAC
0
 
LVL 39

Expert Comment

by:BillDL
ID: 40034055
Thank you Justin
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question