dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2960
share rss forum feed

Just Bob
Premium
join:2000-08-13
Spring Hill, FL

1 edit

VML issues

Microsoft has issues the fix for the VML exploit, but for those who followed the advice to unregister the dll there's now another issue.

The following command will re-register vgx, but will restore only one of the two values that was in this registry key before:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

To restore the other value requires that you also re-register mshtml:

regsvr32 \WINNT\system32\mshtml.dll

The above information was found in the feedback newsgroup at grc and supplied by Dennis Henderson and Terminator Stout.

For those that don't subscribe to the grc newsgroups, here's Dennis's reference:
http://seclists.org/fulldisclosure/2006/Sep/0458.html

I've verified this information on w2k.
--
It has become appallingly clear that our technology has surpassed our humanity." Albert Einstein


S S K

join:2005-02-18
Netherlands

1 edit
... (removed - not sure about this info)

EDIT: Checked the existence of the mshtml.dll value (Vector Vector registry entry) on one of my backups, and it WAS NOT there.

redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to Just Bob
in the "reference" article, it doesn't say anything about "mshtml.dll" being "unregistered".. (?)

i don't think that unregistering "vgx.dll" will, at the same time, unregister "mshtml.dll"..


norwegian
Premium
join:2005-02-15
Outback
reply to Just Bob
Same question I ask, why would unregistering vgx.dll also unregister mshtml.dll. ? Maybe some one can explain this ?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


SpannerITWks
Premium
join:2005-04-22
reply to Just Bob
You might like to take a look at this free App + info about - mshtml.dll - etc, BugOff - »www.spywareinfo.com/~merijn/programs.php

Other nice stuff on there too.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS
reply to Just Bob
I just checked my registry in XP, and one of the values under version vector is (Default) Reg-Sz (value not set). That link says it should be I.E. = 6.0000.

How do I fix this? I noticed you have the command "regsvr32 \WINNT\system32\mshtml.dll". Does that WINNT work with XP? Also, I have no idea why, but the first command listed for vgx.dll doesn't work after you un-register it. This one does work:

"%SystemRoot%\System32\regsvr32.exe" "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Again, if that value should be in the registry, please explain how to do it.

Thank you.

Sincerely, Libra


Qorum

@uu.net
reply to Just Bob
On XP SP2 'mshtml.dll' was NOT unregistered along with 'vgx.dll'.

{AE24FDAE-03C6-11D1-8B76-0080C744F389} Enabled Microsoft (R) HTML Viewer Microsoft Corporation Microsoft® Windows® Operating System 6.00.2900.2722 (xpsp_sp2_gdr.050719-1518) ScriptBridge.ScriptBridge.1 Yes C:\WINDOWS\System32\mshtml.dll 4/9/2005 9:17:24 AM

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to Libra
This should work on XP:
regsvr32 "%windir%\system32\mshtml.dll"

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to Qorum
said by Qorum :

On XP SP2 'mshtml.dll' was NOT unregistered along with 'vgx.dll'.

{AE24FDAE-03C6-11D1-8B76-0080C744F389} Enabled Microsoft (R) HTML Viewer Microsoft Corporation Microsoft® Windows® Operating System 6.00.2900.2722 (xpsp_sp2_gdr.050719-1518) ScriptBridge.ScriptBridge.1 Yes C:\WINDOWS\System32\mshtml.dll 4/9/2005 9:17:24 AM
True, but re-registering mshtml.dll will restore the second value to the "Version Vector" key.
--
It has become appallingly clear that our technology has surpassed our humanity." Albert Einstein


Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to Just Bob
One caution...for those with "personalized" versions of IE the "IE" = "6.0000" value may be different and registering mshtml.dll may not be advised. I really don't know what the effects would be.

Libra
Premium
join:2003-08-06
USA
kudos:1
reply to Just Bob
What are the consequences of not registering the mshtml.dll file?

I don't know if I should do it or not.

Sincerely, Libra

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Just Bob
I didn't unregister the dll but I did apply the Zert patch and it unregistered the dll and then replaced it with a fixed version. I have now rolled back the Zert patch to the original dll and IE crashed at the Zert test after rollback. I then applied the MS patch and tried to retest IE. I found that even though MS doesn't require a reboot, I had to reboot for the patch to take effect and for me to test successfully at the Zert test.

Now I read this thread. So, I went looking in the registry and I don't have the IE6 entry and this is on XP Pro SP2. So, do I need to reregister the mshtml.dll? I have 13 instances of the file when I do a search and my HTML Help works correctly and OE works correctly so I don't think I have anything wrong with mshtml.dll ....now my 98SE box has a long ongoing problem with that file.... but that has nothing to do with this issue.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.ie7.com/


zteardrop

join:2005-12-20
Brooklyn, NY
reply to Just Bob
Click for full size
I just visited www.mrdudemanDONOTCLICK.com and got the alert below from NIS 2007. Whats interesting is that it is a generic alert "HTTP MS IE WML Fill Method BO" and is completely agnostic to the malware actually being downloaded. I am interested in trying this out with other websites exploiting the VML vulnerability if someone has a list.


swhx7
Premium
join:2006-07-23
Elbonia
reply to Just Bob
What are the consequences of leaving vgx.dll unregistered? As far as I know the only harm (if it is harm at all) is preventing IE from rendering VML.

For those who use IE only rarely, as I do, this is trivial or possibly beneficial.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to Just Bob
mele, i re-registered the "vgx.dll"-file before installing the MS patch and then went to zert's test page, and, as far as i could tell, the ms-patch, and everything else, worked fine, even though i did not have that "ie 6"-thing in the registry..

i had to add the zert test page to IE's trusted sites before the colored boxes would appear.. i am assuming that "VML" had to run in order for the colored boxes to appear, and that adding the test-page to "trusted sites" allowed "VML" to run..

still there might be something to the information, about needing to register "mhtml".. i don't know.. but, you could add the "ie 6" thing back to the registry: i can confirm that it is there, normally..

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Hmm...I didn't have to add the Zert site to trusted sites to see the colored boxes after I applied the MS patch.

I think re-registering mshtml is supposed to put that IE6 value back in the registry. mshtml.dll is rather critical over all...you do not want problems with it.

I asked about this in the MS IE security NG but that is a slow moving NG and I haven't gotten a response. Maybe I will just re-register mshtml ...don't see what harm it would do.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.ie7.com/


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
reply to Just Bob
I deleted the file, vgx.dll, problem solved.


Qorum

@Level3.net
I deleted the file, vgx.dll, problem solved
Threw the baby out with the bath water, eh?

Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS
reply to Mele20
I didn't have to put the Zert site into the Trusted zone either to see the red boxes after applying the MS patch. Maybe that has to do with the settings in the Internet zone.

I pm'd someone very knowledgeable about Windows regarding this thread. He said we don't have to re-register mshtml since it was never unregistered. He also said without that value (IE=6) IE "may" have a problem with some pages, and if that's a concern to manually add that value. Since I'm not sure on how to add that value in, at this point I've decided to wait and see if there's a problem. What's everyone else's thought on this?

Sincerely, Libra


SpannerITWks
Premium
join:2005-04-22
reply to Just Bob
Libra

I disabled - mshtml.dll - a long time ago, as per my previous post above, and i don't have Any problems with IE6. I don't use OE though, which requires it !

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to Libra
I would agree with your expert. Since the IE version is contained in the "Internet Explorer" key it's likely that the only thing that would be affected would vml images, but MS must have had a reason to add that value under the "Vector Version" key as well.

If your isp is using a "branded" version of IE (AOL, MSN, etc.) the issue is more clouded. It isn't clear to me if this affects the "User Agent" value reported to web servers.
--
It has become appallingly clear that our technology has surpassed our humanity." Albert Einstein



buttoni
Premium
join:2005-08-16
Temple, TX

1 edit
reply to Just Bob
Well I'm running the ATT DSL Browser, which is a "branded" version of IE6. I had done the workaround (unregistered vgx.dll) when threat was discovered. Then I reregistered it right before downloading the patch. Wasn't until then I found this thread and also reregistered the mshtml.dll file. Don't know what the registry key was before but it now shows: Version 6.0.2900.2180. Sure hope this is right. No problems with IE since doing both file reregisters. Guess I'll find out whether the steps I've taken will cause me problems or not come next Windows updates time.
--
Peggy in Texas
-------
WinXP5.1SP2;ATT DSL Browser;
Comodo Firewall; Avast AV; SpywareDoctor

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to Just Bob
There's one report in the grc newsgroups that Peachtree Accounting uses the IE value contained in the Vector Version key and will not run without it.


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
reply to Just Bob
I also deleted the outlook express folder.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to SpannerITWks
said by SpannerITWks:

Libra

I disabled - mshtml.dll - a long time ago, as per my previous post above, and i don't have Any problems with IE6. I don't use OE though, which requires it !

Spanner
It is not only OE that requires it so does all HTML Help...so you never read Help files? You are too smart for that, huh?

I love Outlook Express (one of the few things from Microsoft that I really like) and I use Help files all the time so I very much don't need problems with mshtml. I have problems with it, and have for a long while, on my older machine that runs 98SE. OE will start then immediately crash due to a problem with mshtml. Then when I restart OE it usually works fine until I switch identities and sometimes then it crashes with mshtml.dll as the reason.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.ie7.com/


SpannerITWks
Premium
join:2005-04-22
reply to Just Bob
NineT8SE4evr

I didn't go quite that far lol, i just always disable OE from ever starting/running etc whenever i install/reinstall etc.

Mele20

Haha, well i don't ever read the IE help files anyway, or feel the need to. Nothing to do with being " smart " etc, i just learnt how to configure it Exactly how i want a long time ago. Mainly through the kind works + info of other peoples www's, + experimenting too. Help files for other Apps i do read though as and if/when required, but they have always launched just fine for me without - mshtml - etc. I have ALL options ticked in BugOff with no problems Ever with Anything related.

Have you tried updating - mshtml.dll - to the latest version, if you don't have it ? I think if i was having that many errors with OE, i would try a few other email clients, of which there are plenty to choose from which work just fine on 98.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I was under the impression the mshtml was necessary for other HTML help files not just IE ones. Maybe that is just on XP. I had a big problem some time back on XP with help files not being able to display and it turned out to be connected to mshtml and the HTML Help Viewer. I could not access any .chm files after a MS security fix for mshtml. I really needed to be able to view the VMWare Workstation Manuals at that time as I was rather new to VMWare and their manuals are outstanding but I suddenly could only view portions of them and it was due to a problem with mshtml.

I use IE5.5 SP2 on the 98SE machine so I am afraid to upgrade the mshtml.dll. That machine is over seven years old and has not had Windows reinstalled since November 4, 2001. That is a long time for 98SE. I don't want to do anything that will force me to reinstall Windows. I have the disks but I am not at all sure that the floppies for the Yamaha sound card drivers are not rusted, etc. Bet I would have a lot of trouble locating those on the internet. I was just thinking about this a few days ago. I need to get those disks out and see if they work. When I got a CD burner on the XP computer several years ago...I should have burned copies of the drivers. Most stuff for that computer is on CD and I did burn copies but I didn't even think about the sound card drivers.

How can you disable mshtml.dll on 98SE? It's the parsing engine for IE on 98 and 98SE.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.ie7.com/


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS
reply to Just Bob
Hey if you want to clone you 98se to another harddrive, use this: Data Lifeguard Tools 11.2 for Windows
»support.wdc.com/download/index.asp?swid=1
It works so good it's not funny, just select the drive you wanna copy: C:
And select the drive you wanna copy it to: D: (for example)
It copies everyfile and makes the drive bootable, you could'nt tell the copied one from the oringial.


SpannerITWks
Premium
join:2005-04-22
reply to Just Bob
Mele20

I don't think these are VML issues per se, and i don't want to get my legs slapped lol, but anywayz here goes !

I can only tell you what works for me, and what i've decribed does. When launching a .chm file i have to allow it via WinSonar due to - hh.exe - normally being blocked by me, but then it works OK. As i don't use .chm and - hh.exe - very often it's a minor brief inconvenience only, but a Lot safer that way.

Why don't you just go get IE6 ? i use it All the time, locked down of course, but still do out of choice having tried others !

Here's the options in BugOff, i have them ALL disabled on my 98SE PC as you can see -





Some/all of these may have been fixed by MS since then, but i still have them set like that, don't need em !

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Libra
It's edit/new string value. I just added it. Hope I didn't screw anything up.