[Petr]

There is new critical vulnerability in vgx.dll that also applies to IE on Windows 9x.

Microsoft published this Security Advisory (925568)

ZERT created an unofficial patch: http://isotf.org/zert/download.htm

I have tested that fully patched IE 6.01SP1 on Windows 98 SE will crash.

I have not tested other version of IE and other version of Windows.

The ZERT patch does not work on Windows 98 but probably it could be possible to use it on Windows 2000 and copy the patched file to Win9x.

Petr

[noguru]

Anyone tried this workaround advised by Microsoft?

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

Doesn't work on my fully updated Win98se+IE6.0 SP1. I get a loadlibrary failed error.

[Fredledingue]

me too.

What happens if you delete vgx.dll (instead of simply unregistering it)?

[noguru]

Well you can simply rename or delete it, also when Windows+IE is running. A registry checker will find it missing, so the unregistering failed indeed, but that's all I have noticed so far. Perhaps that a infected site can crash a browser because of this but that's better than downloading trojans.

The test on the ZERT site says I am not vulnerable now after renaming vgx.dll, before that it didn't do anything on my system with the Maxton browser (based on IE engine), no crash just a blank page.

I must say that I expected much more response in this topic because this vulnerability is a nasty one. Just visiting a wrong site can get you into trouble. No user interference needed! The number of bad sites is rising:

http://www.techweb.c...urity/193004128

Microsoft denies that it is this serious but is considering to release a patch outside the normal patch-cycle anyway

This post has been edited by noguru: 23 September 2006 - 04:57 AM

[oscardog]

noguru, on Sep 23 2006, 11:38 AM, said:

Well you can simply rename or delete it, also when Windows+IE is running. A registry checker will find it missing, so the unregistering failed indeed, but that's all I have noticed so far. Perhaps that a infected site can crash a browser because of this but that's better than downloading trojans.

The test on the ZERT site says I am not vulnerable now after renaming vgx.dll, before that it didn't do anything on my system with the Maxton browser (based on IE engine), no crash just a blank page.

I must say that I expected much more response in this topic because this vulnerability is a nasty one. Just visiting a wrong site can get you into trouble. No user interference needed! The number of bad sites is rising:

http://www.techweb.c...urity/193004128

Microsoft denies that it is this serious but is considering to release a patch outside the normal patch-cycle anyway

I think if you must use I.E it is imperative to disable active scripting to disable javascript,vbs and activex,adding only sites you require in the trusted zone. I would also disable vbs via file association as any standard security feature. Unfortunately it seems they are going to bypass even this temporary defense shortly so use Firefox as a browser in the interim or a live cd
LinkScanner http://linkscanner.e...ner/default.asp

This post has been edited by oscardog: 23 September 2006 - 06:53 AM

[eidenk]

And what about simply a killbit for vgx.dll ?

[oscardog]

I am presuming that what has been released has just scratched the surface as yet

[LLXX]

I'm not worried about this. Seriously.

[MDGx]

Official VGX.DLL fix ported to 98FE, 98SE, ME + NT4:
http://www.mdgx.com/ietoy.htm#VGX

Listed here:
http://www.msfn.org/...showtopic=46581

HTH

This post has been edited by MDGx: 26 September 2006 - 11:38 PM

[sam13484]

Thanks for helping to circulate this unofficial IE925568 patch. I probably would have missed it in the original post. The work these "patch hackers" do is really appreciated by those of use still running 98/Me machines.

I installed the patch and checked out the test page. My IE6SP1 browser running under Windows Me passed without any problems at all.

We should have some kind of mailing list that will keep everyone in the loop when it comes to unofficial patches and upgrades.

[Petr]

Microsoft has released the official patch:
http://blogs.technet.../26/459194.aspx
http://www.microsoft.com/technet/security/...n/MS06-055.mspx

Windows 2000 patches contain:
IE5.01 SP4 contains VGX.DLL 5.00.3845.1800
IE6.0 SP1 contains VGX.DLL 6.00.2800.1580

The patch has to be re-packaged for Windows 9x.

Petr

[smok3yjoint]

outstanding i grapped the vgx patch for xp from zert 2 days ago but im happy 2 see u got 9x covered u guys are awesome ,now this what a forums all about working to improve a os any os well done.

This post has been edited by smok3yjoint: 26 September 2006 - 04:19 PM

[the_guy]

@Petr: I'm looking at it right now. It will be repackaged ASAP.

the_guy

EDIT: Microsoft also made an update to the Roots Update. Link is the same.

This post has been edited by the_guy: 26 September 2006 - 04:27 PM

[the_guy]

Done of the update! It's at mytempdir until MDGx can host it at his site.

This update replaces 883586 for XPSP2 and 890573 for IE6SP1.

Link=here.

the_guy

[MDGx]

Here are all official [+ unofficial 1 created using official VGX.DLL from official Win2000 SP4 fix] VGX.DLL patches:
http://www.mdgx.com/ietoy.htm#VGX

* Microsoft Internet Explorer 5.01 SP4/6.0/6.0 SP1/6.0 SP2 for Windows 98/98 SE/NT4 SP6a/2000/ME/XP/2003 Vector Markup Language (VML) VGX.DLL Security Vulnerability Fix (English):
http://www.microsoft.com/technet/security/...n/ms06-055.mspx
- MS IE 6.0 SP1 Patch for Windows 2003/2003 SP1/2003 R2 [892 KB]:
http://download.microsoft.com/download/a/3...486-x86-ENU.exe
- MS IE 6.0 SP2 Patch for Windows XP SP2 [784 KB]:
http://download.microsoft.com/download/9/b...486-x86-ENU.exe
- MS IE 6.0 SP1 Patch for Windows XP SP1 [803 KB]:
http://download.microsoft.com/download/9/d...sXP-x86-ENU.exe
- MS IE 6.0 SP1 Patch for Windows 2000 SP4 [1.42 MB]:
http://download.microsoft.com/download/3/b...000-x86-ENU.exe
- MS IE 5.01 SP4 Patch for Windows 2000 SP4 [1.22 MB]:
http://download.microsoft.com/download/c/b...sp4-x86-ENU.exe
- Unofficial MS IE 6.0/6.0 SP1 Patch for Windows 98/98 SE/NT4 SP6a/ME [1.03 MB]:
http://www.mdgx.com/files/IE925486.EXE
More info:
http://www.isotf.org/zert/
Test VML:
http://www.isotf.org/zert/testvml.htm

the_guy:
Unofficial IE925486.EXE installs on 98FE, 98SE, ME + NT4, only with MS IE 6.0 or 6.0 SP1 installed.

HTH

This post has been edited by MDGx: 27 September 2006 - 02:10 AM

[PsycoUnc]

-hey, has anybody noticed that the unofficial IE 6.0+ VGX.DLL file subs just fine into IE 5.5sp2?
...
I unregistered the old one (located in Program Files), replaced it, re-registered, and voila, the test page displays just fine (it bombed before this "fix", as is proper for unprotected systems)...
...
-granted, I've only tested it w/the one test page, have no idea if it's "fully" compatible... anybody know of any other test pages, or ways to test it?

[Petr]

PsycoUnc, on Sep 27 2006, 10:00 AM, said:

-hey, has anybody noticed that the unofficial IE 6.0+ VGX.DLL file subs just fine into IE 5.5sp2?

IE5.5SP2 uses VGX.DLL 5.50.4133.200 or hotfix version 5.50.4909.1000.
IE6.0 uses VGX.DLL 6.00.2600.0000
IE6.0SP1 uses 6.00.2800.1106 (first release), 6.00.2800.1265 (re-release and KB826940), 6.00.2800.1411 (KB833989 security update), 6.00.2800.1461 (KB883586 hotfix), 6.00.2800.1488 (KB890573 hotfix)

Original Microsoft VGX fixes install on systems with IE 6.0 SP1 only (6.00.2800.1106-6.00.2800.9999) , I have no idea if the 6.0SP1 version of VGX.DLL can be used with IE6.0 or IE5.5SP2.

Petr

[PsycoUnc]

-it's ver. 6.00.2800.1580, from MDGx's "Unofficial MS IE 6.0/6.0 SP1 Patch" file...
manual install/register of that file seems to work fine in IE5.5sp2 (at least on that one test page), but it'll need more testing of course to insure compatibility...
>;]

This post has been edited by PsycoUnc: 28 September 2006 - 08:57 AM

[bacon_boy]

PsycoUnc, on Sep 28 2006, 09:41 AM, said:

-it's ver. 6.00.2800.1580, from MDGx's "Unofficial MS IE 6.0/6.0 SP1 Patch" file...
manual install/register of that file seems to work fine in IE5.5sp2 (at least on that one test page), but it'll need more testing of course to insure compatibility...
>;]

Thanks for that valuable bit of info, the page now displays correctly for me as well

[noguru]

ZERT also made a patch for Win98/2Ksp3/XPsp0

http://isotf.org/zert/download.htm