Plugging holes with Zen!

By SysAdmin1138 on
This morning's SANs diary says that the infocon level is at Yellow. This happens pretty rarely, but it only elevates for a good reason. In this case a VML vulnerability and exploit have emerged in the last few days. You can read about CERTs description of it here.

There are a number of ways to get around the problem, but Microsoft has suggested a few. You can read their take on things here.

It turns out that one of the methods recommended by Microsoft is actually pretty easily done through Zen for Desktops.

Un-register Vgx.dll

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the system be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround however; the recommendation is to restart the system.

To un-register Vgx.dll, follow these steps:

1.

Click Start, click Run, type "regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"" (without the quotation marks), and then click OK.

2.

A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with "regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”" (without the quotation marks).

As I said, this is fairly simple to do through ZenWorks. Create a new Application Object and enter in the details manually. Put this on the "path to file"

%*WINDIR%\System32\regsvr32

And this in the Parameters:

-u "%*ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Set it to run in system impersonation and associate it how you will with a force-run and probably run-once. To undo it once the patch it out or you have confidance that your AntiVirus vendor will catch the bug, re-registering it the same way is just as easy.

Note: This is just a wild idea, not something we have running. We might, but we have several layers of approvals to get through before we push something like this out to everyone. Feel free to riff on this idea to your own needs.