Daily IT Matters, this is the place where I post my daily findings on IT.

Wednesday, September 20, 2006

Block VML Zero-Day Vuln on a domain

Block VML Zero-Day Vuln on a domain

By now hopefully you have heard about the latest Internet Explorer Zero-Day attack. This one is allegedly being exploited in the wild making it important to protect against it. As an indication of how urgent this is Microsoft, traditionally loath to block functionality in a work-around, even posted details on how to disable VML in their security advisory. Of course, using cacls to block the attack on a few thousand systems could get cumbersome. Microsoft is planning a fix in the October time-frame apparently, earlier if the rate of attacks picks up.

If you have a Windows Domain you can use Group Policy to block this attack much more easily than having to touch every system manually. With the help of my good friend Alun Jones I was able to produce two security templates that disable and enable, respectively, the dll that renders VML. Here is the one that disables it:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll",0,"D:AR(D;OICI;CCSWWPLORC;;;WD)"

And here is the template that re-enables it by removing the ACL on vgx.dll:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
1="c:\program files\common files\microsoft shared\vgx\vgx.dll", 0, "D:AI"

Save each of these templates to inf files called, respectively, DisableVML.inf and EnableVML.inf. Alternatively, just use the ones in the zip file attached to this post. Save the files in somewhere so you can access them from the system you use to edit your Group Policy objects (GPO). Then create new GPOs to disable and enable VML. You are going to need two different GPOs, one to apply the settings and another to remove them again. Obviously you will want only one active at a time. To create the GPO, take the following steps.
Open the GPMC (if you do not have the Group Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
Right-click the domain or OU where you want to link the GPO - you may as well do it at the domain level - and select "Create and Link a GPO Here..." Name your new GPO "DisableVML"
Right-click the GPO DisableVML and select "Edit..."
Expand "Computer Configuration:Windows Settings" and right-click on Security Settings. Select "Import Policy".
Find and select the "DisableVML.inf" file. If you used an existing GPO instead of creating a new one, also check the "Clear this database before importing" checkbox.
Close the GPO editor and go back to the GPMC
In the "Security Filtering" pane remove "Authenticated Users" and click Add...
Select the group "Domain Computers" or some other group that represents the computers to which you want to apply the policy.

That's all there really is to it. When the systems refresh their group policy next time they will automatically apply this GPO and block the attack. By default this happens each time they reboot or every 8 hours, whichever comes first. You can also force this refresh using "gpupdate /target:computer /force" if you have a way to do that.

If you create both of the GPOs now you save yourself a little bit of work later. You can create one to disable VML and one to enable it, and then disable the link for the one you do not want by right-clicking it in GPMC and selecting "Link enabled" as appropriate.

>>>>>
Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1


Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the system be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround however; the recommendation is to restart the system.

To un-register Vgx.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll " (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.


Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with “regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll” (without the quotation marks).

No comments:

Google