Solved

zero day internet explorer mitigation

Posted on 2014-04-29
5
947 Views
Last Modified: 2014-05-01
I have added the code in the bottom of the link below to group policy to run as a startup script for all my computers.

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day

The script should unregister vgx.dll and mitigate the zero day exploit. However, it appears to work fine when I run it on my computer but I am unable to tell if it successfully unregistered the DLL via group policy.

How can I tell if the DLL was successfully unregistered when the group policy applied and the batch file ran?

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
  • 2
  • 2
5 Comments
 
LVL 69

Assisted Solution

by:Merete
Merete earned 100 total points
Comment Utility
I cant say, trust!
Did you also use this
Symantec has also provided a batch file that you can download to automate the command-line and you can get it here: Zero-Day Internet Explorer Vulnerability Let Loose in the Wild
http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild

http://windowsitpro.com/security/symantec-provides-simple-batch-file-mitigate-internet-explorer-zero-day?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+WinBytes+(WIN%3ENews%3ENews)

Justin there is also flash virus getting around as I have had to fix 4 systems here last week
with a message your flash may need updating
have you seen any popups like this if you have it is a virus.
Once the message appears you can't open the web page fully until you close it.
In any browser by the way.
Use this guide to remove it. Do a scan of your system using Eset online scanner.
Remove “WARNING! Your Flash Player may be out of date” virus
http://malwaretips.com/blogs/warning-your-flash-player-may-be-out-of-date-virus/
I also had to replace our router before finally get rid of it.
We all have windows 7 here use Chrome.
Thought you might appreciate that information.
Regards Merete
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
Comment Utility
bat file surfaced the success or failure msg but pls refer to the article below as for 64bit machine the bat file may not be sufficient

http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/

32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt.  Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.

You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: http://www.vmlmaker.com/gallery/visio/office_layout.htm. The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the vmlmaker.com domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.

Via GPO to verify may not 100% or straightforward to ascertain it..regsvr32 has error codes as in http://support.microsoft.com/kb/249873/en-us. but best to asign someone to verify that is done - trust but verify...
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 100 total points
Comment Utility
Probably the easiest way to verify if VGX.DLL has been Unregistered is to ascertain what the Unregister command actually removes from the registry, and check for the removed registry value(s) or key(s) after unregistering VGX.DLL.

- Export the registry to a "vgx_before.reg" file, then run the regsvr32 -u command.
- Export the registry to an "vgx_after.reg" file.
- Compare the two to ascertain the differences using a program that compares the two files side-by-side with colour-coded differences.

There is a freeware program named "ExamDiff Visual File Comparison Tool" by PrestoSoft which works OK, but I use a better retail tool named "Beyond Compare" by Scooter Software for this type of thing.  There is a "Pro" Retail version of ExamDiff that is probably more powerful than the free version or trial version of the pro, but I have only ever used the free one.
The free version of ExamDiff was last updated on October 1, 2011 as Version 1.9:
http://www.prestosoft.com/edp_examdiff.asp
There are no doubt other programs that do the same thing.

The comparison should find a couple of registry keys that will have been removed after Unregistering the DLL, and you could use the REG QUERY command to test for the existence of one or more keys or values after deploying your mitigation.

On Windows XP SP3 with IE8 and all current updates I have:
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version 8.00.6001.23580 (longhorn_ie8_ldr.140222-1715)
The following registry keys are removed when I run the regsvr32 - u command:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]

Here are the contents of these keys prior to Unregistering VGX.DLL from my system, in case you wanted to test for a particular Value rather than Key, but be aware that different versions of VGX.DLL may create additional or differently named keys on different operating systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32]
@=hex(2):25,00,43,00,6f,00,6d,00,6d,00,6f,00,6e,00,50,00,72,00,6f,00,67,00,72,\
  00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,4d,00,69,00,63,00,\
  72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,68,00,61,00,72,00,65,00,64,\
  00,5c,00,56,00,47,00,58,00,5c,00,76,00,67,00,78,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\ProgID]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\VersionIndependentProgID]
@="PeerDraw.PeerDraw"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw\CurVer]
@="PeerDraw.PeerDraw.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1]
@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PeerDraw.PeerDraw.1\CLSID]
@="{10072CEC-8CC1-11D1-986E-00A0C955B42E}"

Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]
"IE"="8.0000"
"VML"="1.0"
"Skype"="6.14.104"

Open in new window

I hope this helps.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Also best to test in machine 32 and 64 bits such that if this vgx workaround is applied, as potentially software (if any) that redistributes vgx.dll may fail to install or even run. Hence if so from the error experience or from event log on more appl error, this workaround likely need to (or must) be reverted to the previous configuration for vgx.dll.

https://technet.microsoft.com/library/security/2963983#ID0EEEAC
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
Thank you Justin
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now