recent posts

Social Networking Accounts Prized By Cybercrooks
RedBox Warns of Credit Card Skimmers
Opera Updates and a Black Tuesday Preview
Beware Targeted Data-Stealing Tax Scam
Consumers Report $239 Million Lost To Cyber Fraud In '07

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Microsoft Issues Emergency Patch for IE Flaw

Microsoft Corp. today issued a security update to fix a serious flaw in its Internet Explorer browser -- a flaw that hackers have been exploiting to install spyware on vulnerable computers.

Microsoft is issuing the update outside of its monthly patch cycle in part because researchers have detected a large number of Web sites created by hackers to exploit the vulnerability. Microsoft no doubt also was prodded by the release of an unofficial third-party patch late last week from a group of security experts concerned about the prospect of tens of millions of IE users cruising the Web without any protection against this attack.

Update, 4:21 p.m. ET: A link to the patch and advisory is now live. The headline and intro for this post also were changed to reflect that. Also, it's worth noting, Microsoft is advising anyone who has already unregistered or deactivated the offending piece of code (as per Security Fix's previous advice) to re-activate those components before applying this patch. If you previously deactivated the flawed IE component, one easy way to bring it back is by following these instructions. According to Redmond, "reactivating the flawed component before applying this patch "is very important because if you do not revoke the VGX.DLL changes, the update could fail to install or deploy."

If you followed our tips on deactivating the VGX.dll system file, do the following before applying this patch:

1) Open up a command prompt: Click "Start," then "Run," and a text box should pop up.

2) Cut and paste the following into that box: regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

By Brian Krebs |  September 26, 2006; 3:51 PM ET New Patches
Previous: Some Sobering Security Stats | Next: 'Shopadmins' And the ID Theft Cycle

Comments

Please email us to report offensive comments.



I got the following link to the updated security bulletin from SANS:

http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

There are links on that page to download the various versions of the patch (which I have just done for XP+SP2).

SANS (http://www.incidents.org/) also says that, if you applied the ACL mitigation, it needs to be undone before applying the patch. (This is not the same mitigation as unregistering the DLL.)

Posted by: Rich Gibbs | September 26, 2006 4:04 PM

I found Internet Explorer 7 Release Candidate 1 is NOT affected by this. It installs a newer version of the vgx.dll file, which is updated via this patch. Microsoft Update also indicates I do not need the update. I've been using IE7 all through the Beta versions and the Release Candidate is solid! The final release should be coming very soon (next month, Oct.). So, I guess you can take this as another fix. There are many more security enhancements in IE7. So, by all means test it out and seriously consider using it if you need to stay with IE. Thanks.

Posted by: TJ | September 26, 2006 6:47 PM

I know that Microsoft no longer "supports" my operating system, Windows 98 SE. But I use the now admittedly flawed IE 6. And because 98 SE is no longer supported I cannot patch the flaw on IE 6. Is there anything else I can do -- short of upgrading the OS or buying a new machine, neither of which are practical at the present time?

I can't imagine I'm alone in still using 98 SE (although an admittedly, increasingly shrinking number). But because of the flaw in IE 6 (and not the OS 98 SE!) my machine, and thousands of others, is at risk -- with the potential for the spread of harm to my own computer and all the others interconnected via the Internet.

Posted by: Bob | September 26, 2006 8:10 PM

FYI,
I visisted Microsoft Update to see if the patch was there. I downloaded several patches but none were the emergency patch. It installed normally when I downloaded it.

For the record, my laptop is rarely connected to the internet so there are always patches I have to download when I connect to the net.

Posted by: mike | September 26, 2006 8:34 PM

What happens if you installed the patch before registering the DLL?

Posted by: Hans van Hutten | September 26, 2006 9:03 PM

Just use another browser, such as Firefox, Opera etc. Problem solved.

Posted by: Bob | September 26, 2006 9:22 PM

Took my Firefox to the Opera but the Fat Lady wouldn't sing because she noticed that my little red fox was also in serious need of patches on his little red ass.

IE (id est), Bob, Ei, Ei, Ei-O! While you whine about IE, someone will take you and your Macdonald's Farm.

If when and ever these alternative browsers ever begin to approach the level of acceptance that IE currently enjoys, then they, too, will experience increasing flaws and attacks. Scum bags only attack the leader, no matter what the endeavor might be. Learn this fundamental, Bob.

Posted by: Shorn Mutton | September 27, 2006 12:23 AM

I don't think it's clear enough on the Microsoft web site, or on any other web site discussing this issue, that IE 7 is not affected by this -- if that is indeed the case.

Rich Gibbs' post here is the first mention/confirmation that I've seen that clearly states that users of IE 7 are not affected.

Posted by: Robert | September 27, 2006 12:56 AM

Robert,

Microsoft does not include "Beta" or "Release Candidate" products in their security advisories. Thus, the reason you will not see IE7 mentioned yet. As I said, I've been using the IE7 betas and now the release candidate. When I went to Microsoft Update, it did not indicate I needed the VML patch. So, then I manually downloaded the VML patch for XP SP2, extracted its contents and compared it to the current vgx.dll file I already have. I also compared the file on an XP SP2 system that has never had IE7 installed on it (still running IE6) and the vgx.dll file was from 2004. From what I can gather, IE7 installed a new version of the vgx.dll file (as the date and time stamps match up to the time IE7 was installed). All in all, I may be wrong that IE7 is not vulnerable and Microsoft is implementing the latest patch into the final release of IE7.

Posted by: TJ | September 27, 2006 10:09 AM

People actually use Internet Explorer?

Use Firefox, please!

Posted by: User | September 27, 2006 11:07 AM

Brian, just FYI if you want it.

F-Secure has been advocating people register/un-register using the following instead:

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

because that works on localized/alternate language versions of windows as well (i.e. if you had the Korean version of windows installed, the just %ProgramFiles%\CommonFiles\ will be wrong).

I used the F-secure version (different variable, that's all) to unregister and now re-register on my XP SP2 box (standard US version) and it worked fine. If you have any readers out there with non-english language versions . . .

Posted by: Doug W | September 27, 2006 11:26 AM

my computer not star

Posted by: john fredy | September 27, 2006 11:36 AM

My Windows OS is Millennium and I have IE6 SP1. This OS is no longer supported by Microsoft. Are my only alternatives to 1) upgrade to XP, or 2) switch to another browser - which seems to be the trend?

Posted by: Ed Meza | September 27, 2006 12:44 PM

To those with older operating systems:

Windows 9x and ME simply do not have the security design architecture in place when compared to today's modern operating systems, whether that is Windows XP, MAC OS X, or Linux. Specifically, the old OS's run ONLY as an "administrator" which regardless of the browser you use leaves your system wide open to attack.

Sure you can use another browser besides IE, but the real solution is to use a modern operating system with a non-administrator account! Along with that, a firewall, keep the system fully patched (including all software, not just the OS), and run Antivirus that updates DAILY! This will lower your risk dramatically and along with safe computing practices will keep you relatively safe from the malware out there.

I wish it were easier than that. But there is no silver bullet fix. A computer is a powerful tool and with that power comes great responsibility.

Posted by: TJ | September 27, 2006 2:07 PM

I still don't understand why people even continue to use the Internet Explorer on regular basis. I noticed that Hotmail sometimes gets funky on other browsers and refuses to load properly, but that's just about the only issue with IE-competitors that I had to deal with. I started using Firefox exclusively about two years ago and have never looked back.

Posted by: PoleStar | September 28, 2006 3:38 PM

Update: IE 7 is not affected by the VML issue as was posted today on the IEBlog at http://blogs.msdn.com/ie/archive/2006/09/29/777193.aspx

"I also want to mention that IE7 downlevel and IE7 on Vista ARE NOT affected by this vulnerability as a newer version of the control was released with IE7 Beta 2. With that said, I want to encourage you to please install the latest version of IE7 today or follow the links above to download the appropriate update to protect your systems."

Posted by: TJ | September 29, 2006 6:42 PM

The comments to this entry are closed.

 
 

©  The Washington Post Company