Microsoft clarifies workarounds for IE zero day

Microsoft clarifies workarounds for IE zero day

Summary: Advisory for IE vulnerability now clarifies role of Enhanced Protected Mode and VGX.DLL


Microsoft has updated their advisory for the recently-revealed zero day vulnerability in Internet Explorer to clarify workarounds.

The vulnerability, disclosed over the weekend, affects all versions of Internet Explorer, but the attacks observed in the wild affect only versions 9, 10 and 11. The vulnerability uses Adobe Flash as a vector.

One workaround is to use Enhanced Protected Mode, a feature of Internet Explorer 10 and 11 on 64-bit systems. The first version of the advisory was in accurate as to the versions of IE for which the workaround was available.

The advisory now says that enabling it "...will help protect users of Internet Explorer 10 on Windows 7 for x64-based systems, Windows 8 for x64-based systems, and Windows RT, and Internet Explorer 11 on Windows 7 for x64-based systems, Windows 8.1 for x64-based systems, and Windows RT 8.1." EPM is enabled by default for the Modern UI (Metro) versions of IE, but not for the desktop versions.

Another workaround in the first advisory was to change the Access Control List (ACL) for one IE program file, VGX.DLL, the file description of which is "Vector Graphics Rendering (VML)."

The advisory now says to unregister the DLL with command lines included in the text of the advisory. This is just as effective as the ACL method, but easier to execute and undo. The advisory also provides advice for reversing the ACL method.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Just checked...

    mine was already turned on (W7).

    The blog also implies that IE for TIFKAM is unaffected, because it always runs in EPM mode.
    • EPM was already turned on for me in W7 too

      Users often find it puzzling that IT departments seem to like IE, but there are reasons. One is the ActiveX legacy, but I think almost everyone hopes that will go away. Another reason, though, and a good one, it is that IE is easy to manage across an entire organisation.

      When news of this vulnerability was released, all IT managers had to do was enable Enhanced Protected Mode for their Windows domains, via Group Policy. GP pushes it to all the machines in the domain, and problem solved. This is one of the advantages of integrating the browser with the OS -- the OS-level security policies can be used to manage browser security as well.

      I don't know if my IT department turned EPM on via GP, or it was the default when some version of IE was installed (I think there were some versions where it was9, and was carried over). Either way, though, my guess is that everyone in my org has it turned on (Firefox is also installed by default, so that's another option, but all browsers have vulnerabilities, so assuming Firefox is magically secure would be unwise).
  • The simplest thing is just to use another browser for a

    Couple of days. Why do people torture themselves with workarounds like regsvr32 that can cause other problems if you don't know what you're doing? Just switch for a couple of days... Even Microsoft's sites work fine with Firefox.

    Even the diehards would probably be forced to admit they've got Firefox or Chrome kicking around somewhere.
    • Perhaps not so simple for many users!

      1) Anyone who can't use regsvr32 without causing other problems shouldn't be allowed anywhere near a computer.

      2) For many users, learning to use Firefox or Chrome will take more than a "couple of days", and learning to use it efficiently will take much more. Thus the work-around, implemented by competent IT staff, is a superior solution for those companies using IE.

      There are strong arguments to switch permanently from IE to Firefox or Chrome, and perhaps this is the time to do so.
      • For point 2...

        ...see point 1. Anybody who can't figure out how to use firefox or chrome in 5 minutes shouldn't be allowed anywhere near a computer.
        • Apples and oranges

          Both Firefox and Chrome are far more complicated, and require a far greater training curve, than regsvr32. And neither Firefox nor Chrome will work properly with every website. Perhaps those websites are poorly-written, relying on "non-standard" browser features, but they still exist. And discovering the problems, and the work-a-rounds, for all of Firefox's bugs (and presumably Chrome's) will take a lot longer than 5 minutes, even for a very skilled computer user.

          For example, in order to open a Javascript window with Firefox from an eBay "sellers" window, you need to reload the page first. It won't work (and won't even produce an error message) from the initial page load. The problem doesn't exist with IE.

          Instructing a user, or figuring out for yourself, how to get around this problem (and many more like it, each) take considerable more time than instructing them how to use regsvr32 for one simple function.
      • Let me fix this for you

        Anyone who cannot learn how to use Firefox in 5 min should not be allowed anywhere near a computer.
        BTW, I cannot use regsvr32. I use bash. How about that?
        • Apples and oranges (2)

          1) See my reply to your colleague's identical comment above.

          2) Why can you "not use regsvr32"? Do you lack basic typing or reading abilities?

          3) Bash is a Unix-based scripting language. It has nothing to do with the discussion. You may as well say, I'm fluent in Mandarin Chinese or string theory. It's admirable, but irrelevant.
      • Point 1 sounds just a bit harsh

        Hmm. While I sympathise somewhat with where you're coming from, point 1 has just forbidden around 95% of home users from ever going near a pc again....
        • Harshness is my middle name

          100% of PC users are capable of using regsvr13, if properly instructed --- just as they have been instructed, line by line, on how to use every other PC function. And doing so is considerably simpler than learning to use a new browser, and work around all the nuances in its design. Why do you think there are myriads of questions posted on Internet forums on how to use various features with Firefox, Chrome, etc.?
  • EPM caused some issues of its own

    I believe Microsoft eventually switched off EPM because it caused some web site issues. So its possible people will switch it on and be faced with other issues. Does it sound like Microsoft is dealing with these IE issues again by adding another layer of protection to a dismal product developed to work too closely to the OS? I find the best solution is probably run IE without add on's. Or simply stop using IE if you can. Microsoft could have solved many of these issues by separating IE and sandboxing it from the OS. Instead it choose to continue a pathetic line of caving to Enterprise. Any personal PC users should easily be able to dump IE today.
    • The compatibility problems are not with IE.

      But rather third party add ons.
  • So ASLR is effective in blocking this attack.

    "The advisory now says that enabling it "...will help protect users of Internet Explorer 10 on Windows 7 for x64-based systems..."

    The only thing EPM does on 64-bit Windows 7 is enable 64-bit IE (i.e. Content Processes). The problem doesn't appear to be a problem with Windows' implementation of ASLR but rather the limited address space within which ASLR has to work with in a 32-bit address space.
  • Or alternately, just use Firefox for a couple of days

    I don't understand why people put themselves through contortions like using regsvr32 on vgx.dll (which will have who knows what effects down the road!) when a simple workaround is to just use Firefox until the patch comes.

    I expect even the greatest IE diehards probably have Firefox installed somewhere.
    • I'm having problems viewing these comments in FireFox

      Perhaps it's a problem with the new upgrade. But I'm posting this using IE.
      • Whatever is wrong is likely browser-neutral

        I have seen that there are comments that apparently don't exist on some articles using mobile IE. So credit where it's due: whatever is wrong is at least not a failure of any one particular browser.
        Third of Five
      • I am writing this comment

        On Ubuntu 12 with FF 29. Try force-refreshing (press and hold shift while you refresh).
      • Posting this using Firefox 29 on Windows 7 x86_64

        Seems fine to me. PEBKAC, Ye?
    • Or Opera

      But not the crappy latest version.
    • Why do you think your comment warrents posting multiple times?