Big Hole in IE!!!! (Patch is Here, May1!!!)

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Ketchup

Ketchup

Elite Member
Sep 1, 2002
14,553
248
106
corkyg said:
You're most welcome. It is truly a Security matter. Thank you for initiating it.
Click to expand...

Have I been asleep? Where did this Security category come from? Not saying I don't like it, just surprised I missed it.
 
crashtech

crashtech

Lifer
Jan 4, 2013
10,573
2,145
146
The fix is pretty easy:
Code: 
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Unregisters the never-used VML renderer, which stops this particular exploit.

Matter of fact, you can paste that into a text file on a flash drive and name it whatever.bat, and then you can fix all your machines with just a double click.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
crashtech said:
The fix is pretty easy:
Code: 
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
Unregisters the never-used VML renderer, which stops this particular exploit.

Matter of fact, you can paste that into a text file on a flash drive and name it whatever.bat, and then you can fix all your machines with just a double click.
Click to expand...

If it's that easy, how come MS has yet to issue a patch?
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
68,332
12,559
126
www.anyf.ca
TBH it's been a while since IE has had a major exploit. They're doing pretty good. But question is, why are people still using that archaic browser?
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
Red Squirrel said:
TBH it's been a while since IE has had a major exploit. They're doing pretty good. But question is, why are people still using that archaic browser?
Click to expand...

As I shared, Pale Moon is currently my default browser, FX was before that, but I choose to retain IE as well, and bet more people do than not.

And, I would not call IE, esp 11, archaic. Less Than, compared to say, PM, U bet, archaic, NO. Newer, most often, esp in apps, does not mean better.
 
Last edited:
code65536

code65536

Golden Member
Mar 7, 2006
1,006
0
76
crashtech said:
Because it's to easy and expedient, and it disables one of their precious but useless inventions.
Click to expand...

Erm, their "precious invention" predated SVG. Back when VML first came out, that was what you had to use if you wanted vector graphics. Hell, SVG hadn't even become a W3C rec when XP went RTM. Yes, in the time since, SVG was finalized and it took off, and Microsoft even deprecated VML in favor of SVG. That doesn't change the fact that over the course of VML's life, there have been uses for VML (even by Google!), and although most have now migrated to SVG, killing VML outright will break things and elicit cries of, "Stupid Windows updates, breaking compatibility all the time!" from some people.
 
IndyColtsFan

IndyColtsFan

Lifer
Sep 22, 2007
33,655
687
126
Red Squirrel said:
TBH it's been a while since IE has had a major exploit. They're doing pretty good. But question is, why are people still using that archaic browser?
Click to expand...

It has been the standard browser at every company I've worked at, and that's because of app compatibility. SharePoint, for example, works best with IE.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
code65536 said:
Erm, their "precious invention" predated SVG. Back when VML first came out, that was what you had to use if you wanted vector graphics. Hell, SVG hadn't even become a W3C rec when XP went RTM. Yes, in the time since, SVG was finalized and it took off, and Microsoft even deprecated VML in favor of SVG. That doesn't change the fact that over the course of VML's life, there have been uses for VML (even by Google!), and although most have now migrated to SVG, killing VML outright will break things and elicit cries of, "Stupid Windows updates, breaking compatibility all the time!" from some people.
Click to expand...


I may not understand the specifics above, but I am positive all those data are accurate, and so, IMPORTANT.

This is not the time to be cavalier and dismissive/take UNJUSTIFIED SHOTS at MS.
 
crashtech

crashtech

Lifer
Jan 4, 2013
10,573
2,145
146
If the above command breaks any functionality, re-run it without the -u with elevated (admin) privileges and everything will be back the way it was. It's easy and free, no hand-wringing required.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
crashtech said:
If the above command breaks any functionality, re-run it without the -u with elevated (admin) privileges and everything will be back the way it was. It's easy and free, no hand-wringing required.
Click to expand...


I choose to demur re this suggestion. I choose to wait for the official patch.
 
Last edited:
code65536

code65536

Golden Member
Mar 7, 2006
1,006
0
76
crashtech said:
If the above command breaks any functionality, re-run it without the -u with elevated (admin) privileges and everything will be back the way it was. It's easy and free, no hand-wringing required.
Click to expand...

Yes.

And yes, most people would not miss VML (I know I wouldn't). But the point is that Microsoft can't push out a quick update to every user that just disables VML, because there will be people who do rely on it, so it's pretty flippant and inaccurate to blame it on Microsoft's ego (esp. when they themselves had already deprecated VML for SVG!).
 
crashtech

crashtech

Lifer
Jan 4, 2013
10,573
2,145
146
I'm just sorry if my flippant attitude has caused anyone to reject and distrust a transparently harmless and easy mitigation method. I will now withdraw my participation.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
crashtech said:
I'm just sorry if my flippant attitude has caused anyone to reject and distrust a transparently harmless and easy mitigation method. I will now withdraw my participation.
Click to expand...

Please, we are adults; this is not some infant sporting event to determine the respective worthiness of the participants based on some apparently intense need for others to obey suggestions. As opposed to chasing data as a COLLECTIVE and making our own.

NOTHING HERE FOR ANY ADULT TO TAKE PERSONALLY. You are showing a real lack of respect for your fellow members here, because of some thin skin issue. Don matter wut color the skin it, including blue.

Please ponder.
 
Last edited:
code65536

code65536

Golden Member
Mar 7, 2006
1,006
0
76
crashtech said:
I'm just sorry if my flippant attitude has caused anyone to reject and distrust a transparently harmless and easy mitigation method. I will now withdraw my participation.
Click to expand...

I never said that the workaround was bad. The post that I quoted wasn't even the post about unregistering that COM object. I was explaining why Microsoft can't go around axing every legacy feature in the OS. As I said, most people wouldn't miss VML, the implication being that, for most people, disabling VML is just fine.

Microsoft themselves suggested that workaround in their own security advisory. They long ago deprecated VML. So, yes, to blame them for not doing anything rash because it's "to [sic] easy" and because they somehow want to protect a "precious" feature is being flippant.


(n.b.: On 64-bit Windows, the command posted in this thread only unregisters the 64-bit version of the COM object, which isn't the one used by 32-bit IE, and 32-bit IE is the default browser. The commands to unregister both the 32- and 64-bit copies can be found in the security advisory linked above, which also lists a number of other workarounds.)
 
Last edited:
crashtech

crashtech

Lifer
Jan 4, 2013
10,573
2,145
146
code65536 said:
(n.b.: On 64-bit Windows, the command posted in this thread only unregisters the 64-bit version of the COM object, which isn't the one used by 32-bit IE, and 32-bit IE is the default browser. The commands to unregister both the 32- and 64-bit copies can be found in the security advisory linked above, which also lists a number of other workarounds.)
Click to expand...
Good info, thank you.
 
crashtech

crashtech

Lifer
Jan 4, 2013
10,573
2,145
146
Victorian Gray said:
I appreciated your posting the info. Thank you.
Click to expand...

You are welcome. If you are interested in applying this fix to a 64-bit version of Windows, add the following command in order to unregister both versions of the dll:
Code: 
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

And again thanks to code65536 for pointing out the incomplete nature of the fix for 64-bit systems.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom