VML FUD FAQ
September 23, 2006
Sorry. I couldn't resist composing a headline entirely out of acronyms. VML = Vector Markup Language. FUD = Fear, Uncertainty, and Doubt. And FAQ = Frequently Asked Questions. Since there's a lot of misinformation being disseminated around the recently discovered VML vulnerability, here's an attempt to address those misconceptions and alleviate some of the fears.
Rumor: The VML flaw is similar in scope to the WMF flaw.
Truth: Not even close. The WMF flaw was far more serious because at the time there were no feasible workarounds to stop the exploit. It was this lack of a suitable workaround for the WMF flaw which prompted IDA Pro genius Ilfak Guilfanov to create a third-party patch to plug the hole until Microsoft released their own patch.
Rumor: If the Ilfak patch for the WMF flaw was good, a third-party patch for the VML flaw must also be good.
Truth: Not even close. Unlike with the WMF flaw, there is a perfectly viable workaround for the VML vulnerability - unregistering vgx.dll. This has no unintended side affects on the normal operation of the system (which was not the case with the dll involved in the WMF flaw). All that will happen is that any graphics rendered in VML will not display. It's very unlikely most users will ever even encounter this. As described in Wikipedia, VML was "rejected as a standard by the W3C, and largely ignored by developers." In other words, almost no one uses it. To unregister vgx.dll:
Rumor: Domain admins need a third-party patch because they have so many machines to manage.
Truth: Deploying any patch is costly to companies; deploying an unsupported third-party patch is both costly and risky. But that doesn't mean domain admins are left out in the cold. Jesper Johansson, Principal Security Program Manager at Amazon.com and former Senior Security Strategist at Microsoft has posted several viable options for unregistering vgx.dll domain-wide. (Jesper is also co-author of the popular "Protect Your Windows Network" book).
Certainly the VML vulnerability should not be ignored, nor should you wait to take action until Microsoft releases a patch. According to Alex Eckelberry of Sunbelt Software, there have been several in-the-wild exploits of the VML vulnerability discovered.
So don't stick your head in the sand and hope it all just goes away. But don't panic either,and don't be in a rush to apply a third-party patch that really isn't necessary. Just unregister vgx.dll and apply the supported Microsoft patch when it becomes available.
Other links:
Microsoft Security Advisory 925568 Microsoft Security Response Center blog
Disclaimer: I work for Microsoft. This article, and all articles and opinions expressed on this site, are based entirely on my own independent research, and do not reflect the opinion of Microsoft.
Sorry. I couldn't resist composing a headline entirely out of acronyms. VML = Vector Markup Language. FUD = Fear, Uncertainty, and Doubt. And FAQ = Frequently Asked Questions. Since there's a lot of misinformation being disseminated around the recently discovered VML vulnerability, here's an attempt to address those misconceptions and alleviate some of the fears.
Rumor: The VML flaw is similar in scope to the WMF flaw.
Truth: Not even close. The WMF flaw was far more serious because at the time there were no feasible workarounds to stop the exploit. It was this lack of a suitable workaround for the WMF flaw which prompted IDA Pro genius Ilfak Guilfanov to create a third-party patch to plug the hole until Microsoft released their own patch.
Rumor: If the Ilfak patch for the WMF flaw was good, a third-party patch for the VML flaw must also be good.
Truth: Not even close. Unlike with the WMF flaw, there is a perfectly viable workaround for the VML vulnerability - unregistering vgx.dll. This has no unintended side affects on the normal operation of the system (which was not the case with the dll involved in the WMF flaw). All that will happen is that any graphics rendered in VML will not display. It's very unlikely most users will ever even encounter this. As described in Wikipedia, VML was "rejected as a standard by the W3C, and largely ignored by developers." In other words, almost no one uses it. To unregister vgx.dll:
Click Start Click Run Type the following: regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll" Click OKRumor: Domain admins need a third-party patch because they have so many machines to manage.
Truth: Deploying any patch is costly to companies; deploying an unsupported third-party patch is both costly and risky. But that doesn't mean domain admins are left out in the cold. Jesper Johansson, Principal Security Program Manager at Amazon.com and former Senior Security Strategist at Microsoft has posted several viable options for unregistering vgx.dll domain-wide. (Jesper is also co-author of the popular "Protect Your Windows Network" book).
Certainly the VML vulnerability should not be ignored, nor should you wait to take action until Microsoft releases a patch. According to Alex Eckelberry of Sunbelt Software, there have been several in-the-wild exploits of the VML vulnerability discovered.
So don't stick your head in the sand and hope it all just goes away. But don't panic either,and don't be in a rush to apply a third-party patch that really isn't necessary. Just unregister vgx.dll and apply the supported Microsoft patch when it becomes available.
Other links:
Disclaimer: I work for Microsoft. This article, and all articles and opinions expressed on this site, are based entirely on my own independent research, and do not reflect the opinion of Microsoft.
