Windows 98 and MSIE VML exploit

[98 Guy]

Is there any hard evidence that vgx.dll for Win-98 (when used in
conjuction with IE-6) is vulnerable to the currently circulating
exploit?

I know that Win-98 is mentioned in various laundry lists, but I'm
looking for a statement along the lines of "Win-98 has been tested and
has been confirmed to be vulnerable". I don't expect any such
statement to come from Meekro$haft, but some third party expert or
analyst might.

Background:

http://www.counterpane.com/exploit-MSIE_Zero-Day_VML.html

Work-around (this should work for Win-98 and remove the vulnerability
if indeed it does exist):


----------

Click Start, click Run, then type

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

and then click OK.

A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do
so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps.

Replace the text in Step 1 with regsvr32
"%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

-----------


Origin of this exploit:

ISP HostGator had its servers hacked last week to spread the VML
exploit. HostGator says hackers compromised its servers using a
previously unknown security hole in cPanel, the control panel software
that is ->widely used by hosting providers<-. "I can tell you with all
accuracy that this is definitely due to a cPanel exploit that provides
root access and all cPanel servers are affected," said HostGator
system administrator Tim Greer. "This issue affects all versions of
cPanel, from what I can tell, from years ago to the current releases,
including Stable, Release, Current and Edge."

Hackers have hijacked a large number of sites at web hosting firm
HostGator and are seeking to plant trojans on computers of unwitting
visitors to customer sites. HostGator customers report that attackers
are redirecting their sites to outside web pages that use the
unpatched VML exploit in Internet Explorer to install trojans on
computers of users. Site owners said iframe code inserted into their
web pages was redirecting users to the malware-laden pages.

HostGator general manager Jason Muni told Security Fix that attackers
had "reconfigured an unknown number of Web sites hosted on the
company's servers to redirect visitors to a third-party Web site that
tried to load the IE exploit." Muni said the company reconfigured all
of its 200 servers to address the problem. But as of 5:30 pm EST
Friday, some HostGator customers were continuing to report that their
sites were compromised and redirecting visitors, indicating the
problems were ongoing.

(so much for "safe hex")

-------------

Can someone comment as to the use or popularity of VML on the
internet? Say, for example, for "mission critical" web uses such as
to buy tickets, web-banking, etc.

Also, wouldn't any browser call vgx.dll when presented with an XML
file or code?

I did a search of my IE cache to look for any files with the
occurrance of the string ".vml" (but found nothing). Same with
looking for any file with .VML extension. Perhaps that is not the
correct way to look for VML code (and if not, what is?).

How can the internet be searched for content that contains references
to VML files or contains VML code?

 

[David H. Lipman]

From: "98 Guy" <[email protected]>

|
| Is there any hard evidence that vgx.dll for Win-98 (when used in
| conjuction with IE-6) is vulnerable to the currently circulating
| exploit?
|
| I know that Win-98 is mentioned in various laundry lists, but I'm
| looking for a statement along the lines of "Win-98 has been tested and
| has been confirmed to be vulnerable". I don't expect any such
| statement to come from Meekro$haft, but some third party expert or
| analyst might.
|
| Background:
|
| http://www.counterpane.com/exploit-MSIE_Zero-Day_VML.html
|
| Work-around (this should work for Win-98 and remove the vulnerability
| if indeed it does exist):
|
| ----------
|
| Click Start, click Run, then type
|
| regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
|
| and then click OK.
|
| A dialog box appears to confirm that the un-registration process has
| succeeded. Click OK to close the dialog box.
|
| Impact of Workaround: Applications that render VML will no longer do
| so once Vgx.dll has been unregistered.
|
| To undo this change, re-register Vgx.dll by following the above steps.
|
| Replace the text in Step 1 with regsvr32
| "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
|
| -----------
|
| Origin of this exploit:
|
| ISP HostGator had its servers hacked last week to spread the VML
| exploit. HostGator says hackers compromised its servers using a
| previously unknown security hole in cPanel, the control panel software
| that is ->widely used by hosting providers<-. "I can tell you with all
| accuracy that this is definitely due to a cPanel exploit that provides
| root access and all cPanel servers are affected," said HostGator
| system administrator Tim Greer. "This issue affects all versions of
| cPanel, from what I can tell, from years ago to the current releases,
| including Stable, Release, Current and Edge."
|
| Hackers have hijacked a large number of sites at web hosting firm
| HostGator and are seeking to plant trojans on computers of unwitting
| visitors to customer sites. HostGator customers report that attackers
| are redirecting their sites to outside web pages that use the
| unpatched VML exploit in Internet Explorer to install trojans on
| computers of users. Site owners said iframe code inserted into their
| web pages was redirecting users to the malware-laden pages.
|
| HostGator general manager Jason Muni told Security Fix that attackers
| had "reconfigured an unknown number of Web sites hosted on the
| company's servers to redirect visitors to a third-party Web site that
| tried to load the IE exploit." Muni said the company reconfigured all
| of its 200 servers to address the problem. But as of 5:30 pm EST
| Friday, some HostGator customers were continuing to report that their
| sites were compromised and redirecting visitors, indicating the
| problems were ongoing.
|
| (so much for "safe hex")
|
| -------------
|
| Can someone comment as to the use or popularity of VML on the
| internet? Say, for example, for "mission critical" web uses such as
| to buy tickets, web-banking, etc.
|
| Also, wouldn't any browser call vgx.dll when presented with an XML
| file or code?
|
| I did a search of my IE cache to look for any files with the
| occurrance of the string ".vml" (but found nothing). Same with
| looking for any file with .VML extension. Perhaps that is not the
| correct way to look for VML code (and if not, what is?).
|
| How can the internet be searched for content that contains references
| to VML files or contains VML code?

Yes. It is an Internet Explorer problem and thus vulnerable.

As for unregistering the DLL under Win9x/ME...

%CommonProgramFiles% is an evironmental variable not available under Win9x/ME.

You'll need the FULL path...

regsvr32 /u "C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.DLL"

 

[Don Phillipson]

Is there any hard evidence that vgx.dll for Win-98 (when used in
conjuction with IE-6) is vulnerable to the currently circulating
exploit? . . .

http://www.counterpane.com/exploit-MSIE_Zero-Day_VML.html

The newgroup microsoft.public.security.virus
may put you in touch with the right specialists.

 

[thanatoid]

Is there any hard evidence that vgx.dll for Win-98 (when
used in conjuction with IE-6) is vulnerable to the
currently circulating exploit?

<SNIP>

I've seen some of your posts and you seem to be a pretty smart
guy. WHY do you insist on using IE? It's the most dangerous
piece of software in the world. Get Opera, move vgx.dll into a
"storage" directory in case something doesn't work without it,
and forget it.

I use Opera with 95B, don't even HAVE vgx.dll and everything
works just fine. Not to mention I NEVER have to get any updates
or patches.

 

[Damian]

<SNIP>

I've seen some of your posts and you seem to be a pretty smart
guy. WHY do you insist on using IE? It's the most dangerous
piece of software in the world. Get Opera, move vgx.dll into a
"storage" directory in case something doesn't work without it,
and forget it.

I use Opera with 95B, don't even HAVE vgx.dll and everything
works just fine. Not to mention I NEVER have to get any updates
or patches.

Maybe he, like millions of others need IE to access their Financial sites.
Instead of belittling people who use IE, just give your _opinion_ that you
think XX is better and shut up.

 

[David H. Lipman]

From: "Damian" <[email protected]>


|
| Maybe he, like millions of others need IE to access their Financial sites.
| Instead of belittling people who use IE, just give your _opinion_ that you
| think XX is better and shut up.
|

I agree here. There are MANY reasons why IE is required to access specific web sites.
Often, content is NOT the same with Opera, FirFox and others.

 

[What's in a Name?]

Damian AKA (e-mail address removed) in alt.comp.anti-virus on
9/24/2006,after much thought,came up with this jewel:

Maybe he, like millions of others need IE to access their Financial
sites. Instead of belittling people who use IE, just give your
opinion that you think XX is better and shut up.

I don't know about all that. My bank's web site stated that IE is
needed but Firefox works just fine. The only reason for using IE may be
that the site uses Active X-I don't like that idea!

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.

 

[chrisv]

Damian AKA (e-mail address removed) in alt.comp.anti-virus on
9/24/2006,after much thought,came up with this jewel:


I don't know about all that. My bank's web site stated that IE is
needed but Firefox works just fine. The only reason for using IE may
be that the site uses Active X-I don't like that idea!

Fine. My Bank site needs IE, and I'm not afraid of Active-X. You keep using
FF, I'll use IE.

 

[98 Guy]

People, can we stick to my questions for a minute?

Dave, yes thanks for correcting the syntax for unregistering vgx.dll
for 98.

But still -

It is an Internet Explorer problem and thus vulnerable.

Isin't it more of a "vgx.dll" problem?

I want to know if the windows-98 version of vgx.dll has the same
vulnerability or exploitability as the NT/XP version.

I also want to know how everyone can be so sure that other browsers
aren't vulnerable. How is it known that Opera or Netscape doesn't
perform calls to vgx.dll? Are they known for not being able to handle
VML?

Lastly, can someone comment as to the popularity (or even necessity)
of VML? Where is it used? What will I be missing if I unregister
vgx.dll?

If you've browsed some sites with VML content, would you have .VML
files in your browser cache?

 

[chrisv]

People, can we stick to my questions for a minute?

No.

 

[thanatoid]

Maybe he, like millions of others need IE to access their
Financial sites. Instead of belittling people who use IE,
just give your _opinion_ that you think XX is better and
shut up.

I can access my bank JUST FINE with Opera. Research before you
speak.
No to mention that what I wrote WAS my opinion. (I guess I was
not informed via the usual channels that I am now Supreme
Overlord of the Universe. Thanks for the promotion.)

 

[thanatoid]

From: "Damian" <[email protected]>


|
| Maybe he, like millions of others need IE to access their
| Financial sites. Instead of belittling people who use IE,
| just give your _opinion_ that you think XX is better and
| shut up.
|

I agree here. There are MANY reasons why IE is required to
access specific web sites. Often, content is NOT the same
with Opera, FirFox and others.

That, my little webloids, is because MS ignores most
international laws and standards (in this case, web site
construction conventions) and MS web-building software
(regrettably, used by MANY) puts in "special" code which makes
those sites appear "different" or "bad" depending on what other
browser one DARES to use other than IE. The real *content*,
depending on your definition of that, is still there regardless
of the browser.

 

[Damian]

I can access my bank JUST FINE with Opera. Research before you
speak.

Just because YOU leap before you look, don't assume everyone is as stupid as
you.

 

[thanatoid]

People, can we stick to my questions for a minute?
NO!


Isin't it more of a "vgx.dll" problem?

I have 98SE WITH IE5 installed (this 2nd computer is NOT
connected to the internet and I only installed IE to read .chm
help files) and it does not have vgx.dll. I would guess it
either came with IE6 or one of those "patch one problem, create
three new problems" updates.

Google to find out about the 8-year old VML standard submission
to w3.org.

To find out just how INCREDIBLY important a development it is,
see
http://www.grapl.com/vmlnotes/introduction/vml_and_svg_compared.
htm

The vgx.dll problem was first discovered about 2 years ago. I
imagine that file affects the manner in which IE handles wml
objects which can allows a hacker - or Microsoft - to take over
your computer.

I want to know if the windows-98 version of vgx.dll has the
same vulnerability or exploitability as the NT/XP version.

Who the **** cares? If you're running IE, you're running the
biggest virus and trojan there is. You are defenseless. Period.

FWIW, it affects 98 and up with IE6SP1 which you would know if
you took the trouble to go to
www.microsoft.com/downloads/details.aspx?FamilyID=B0095851-674D-
4357-868C-DD75D88405EC&displaylang=en

I also want to know how everyone can be so sure that other
browsers aren't vulnerable. How is it known that Opera or
Netscape doesn't perform calls to vgx.dll? Are they known
for not being able to handle VML?

As I said, I use Opera on Win 95B, do NOT have that file
ANYWHERE on my system (Opera DOES have a wml.css file) and
everything works just fine.

Maybe if you read up a bit on vector graphics you would
understand why this is basically totally pointless technology to
begin with, unless you are doing real-time advanced vector
graphics work for major corporations which have offices all over
the world. Even then, just sending zipped files to everyone
would be faster and better, IMO.

Lastly, can someone comment as to the popularity (or even
necessity) of VML? Where is it used? What will I be
missing if I unregister vgx.dll?

See above.

If you've browsed some sites with VML content, would you
have .VML files in your browser cache?

IE stores EVERYTHING. There are browsers that store NOTHING
unless you tell them to. Take your pick.

 

[What's in a Name?]

thanatoid AKA (e-mail address removed) in alt.comp.anti-virus on
9/24/2006,after much thought,came up with this jewel:

I can access my bank JUST FINE with Opera. Research before you
speak.
No to mention that what I wrote WAS my opinion. (I guess I was
not informed via the usual channels that I am now Supreme
Overlord of the Universe. Thanks for the promotion.)

That's Supreme Chancellor of the Universe
(Overlord position is still open to nominations)

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.

 

[thanatoid]

Is there any hard evidence that vgx.dll for Win-98 (when
used in conjuction with IE-6) is vulnerable to the
currently circulating exploit?

Go to this link, read the article, and then keep on happily
using your browser of choice... (chortle).

http://www.internetnews.com/security/article.php/3633856

 

[thanatoid]

Just because YOU leap before you look, don't assume
everyone is as stupid as you.

I wasn't even going to reply to someone who is obviously
mentally impaired, but I will. Sigh.

You DO realize that:

a)
you comment makes NO sense at all (unless you live in the
Bizarro world)?

b)
that EVERYONE except the sheep who continue to use IE knows who
the stupid ones really are?

 

[Dan]

People, can we stick to my questions for a minute?

Dave, yes thanks for correcting the syntax for unregistering vgx.dll
for 98.

But still -


Isin't it more of a "vgx.dll" problem?

I want to know if the windows-98 version of vgx.dll has the same
vulnerability or exploitability as the NT/XP version.

I also want to know how everyone can be so sure that other browsers
aren't vulnerable. How is it known that Opera or Netscape doesn't
perform calls to vgx.dll? Are they known for not being able to handle
VML?

Lastly, can someone comment as to the popularity (or even necessity)
of VML? Where is it used? What will I be missing if I unregister
vgx.dll?

If you've browsed some sites with VML content, would you have .VML
files in your browser cache?

Well, Internet Explorer in 98SE does not even have an option for
disabling binary and script behaviors like XP has so I doubt it is even
affected. Just to be on the safe side I am continuing to use Mozilla
Firefox on all three of my operating systems. (98SE, XP Pro. and
Windows Vista Ultimate 32 bit) In XP Pro. the binary and script
behaviors has been disabled in the Internet Options as a precaution in
my home computer and work computer and the word has gone out to disable
all binary and script behaviors on all work machines until a patch is
made available. Using an alternative browser such as Mozilla Firefox or
Opera just makes a lot more sense these days since then you don't have
to deal with the weakness of Microsoft's browser which seems a lot
weaker in security than the rest of the operating system.

Follow these steps:

Disable VML support

Microsoft Security Advisory (925568) suggests the following techniques to disable VML support:

* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
* Modify the Access Control List on Vgx.dll to be more restrictive
* Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone

the rest are common sense including not following unsolicited web links,
disabling active scripting, reading and sending email in plain text that
thankfully Gary S. Terhune, MVP has been a great fan of to help keep us
all safe, and finally classic is best of course and show all those files
boys and girls -- Configure Windows Explorer to use Windows Classic Folders


courtesy of > http://www.kb.cert.org/vuls/id/416092

http://www.microsoft.com/technet/security/advisory/925568.mspx
http://secunia.com/advisories/21989/

Yet another recent highly critical advisory -- this one affects Active X
in Internet Explorer so use Mozilla Firefox as a solution and disable
binary and script behaviors in appropriate operating systems for
previous vulnerability like in XP.

http://www.microsoft.com/technet/security/advisory/925444.mspx
http://secunia.com/advisories/21910/

Both of these vulnerabilities get the highest critical rating that
secunia gives which is extremely critical so play it
safe in Internet land.

Just to make things interesting ---- Apple has a recent highly critical
vulnerability with users using Airport -- see:

http://secunia.com/advisories/22068/

Mozilla Firefox -- open source joins the vulnerabilities also so make
sure you are using the latest version 1.5.0.7 or you are putting your
system at a highly critical risk

http://secunia.com/advisories/21906/

Finally, my field is having some action. Fantastic now I can see what
the mean people are up to and how they are trying to take over user's
systems. I don't want people's system(s) to be taken over but all these
critical advisories sure make things interesting when one focuses on the
security aspects of computers. Have a nice day and play it safe out
there everyone.

<information stored via text document and looking forward to responses>

 

[mae]

Your antivirus should pick up the exploit on a page.
Rated very low - per this:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=58357
And from Microsoft for the purpose of the file.
http://www.microsoft.com/technet/security/advisory/925568.mspx

Not posting to .alt groups.
--
mae

|
| Is there any hard evidence that vgx.dll for Win-98 (when used in
| conjuction with IE-6) is vulnerable to the currently circulating
| exploit?
--snipped--

 

[98 Guy]

Go to this link, read the article, and then keep on happily
using your browser of choice... (chortle).

That article contain NO NEW INFORMATION.

The question remains:

Does the Win-98 version of vgx.dll have the vulnerability?

Win-98se ships with a version of vgx.dll (5.00.2014.200) for which
there was at least one update (March 10, 2004) which is version
6.00.2800.1411.

Since nobody has mentioned the impact of disabling VML for general web
browsing (or even "mission critical" web use) then unregistering the
DLL (and deleting or renaming the file as well) should eliminate this
vulnerability.

And note that it's not just IE that's vulnerable. It's OE as well.

And note that Macro$haft is being it's usual negligent self by not
releasing an out-of-sequence patch for this. Look for the patch in
October, after many XP systems have become infected. It's all part of
their smear campaign against XP to bolster public acceptance and
migration to Vista.