Windows 98 and MSIE VML exploit

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Is there any hard evidence that vgx.dll for Win-98 (when used in
conjuction with IE-6) is vulnerable to the currently circulating
exploit?

I know that Win-98 is mentioned in various laundry lists, but I'm
looking for a statement along the lines of "Win-98 has been tested and
has been confirmed to be vulnerable".  I don't expect any such
statement to come from Meekro$haft, but some third party expert or
analyst might.

Background:

http://www.counterpane.com/exploit-MSIE_Zero-Day_VML.html

Work-around (this should work for Win-98 and remove the vulnerability
if indeed it does exist):


----------

Click Start, click Run, then type

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

and then click OK.

A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do
so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps.

Replace the text in Step 1 with regsvr32
"%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

-----------


Origin of this exploit:

ISP HostGator had its servers hacked last week to spread the VML
exploit. HostGator says hackers compromised its servers using a
previously unknown security hole in cPanel, the control panel software
that is ->widely used by hosting providers<-. "I can tell you with all
accuracy that this is definitely due to a cPanel exploit that provides
root access and all cPanel servers are affected," said HostGator
system administrator Tim Greer. "This issue affects all versions of
cPanel, from what I can tell, from years ago to the current releases,
including Stable, Release, Current and Edge."

Hackers have hijacked a large number of sites at web hosting firm
HostGator and are seeking to plant trojans on computers of unwitting
visitors to customer sites. HostGator customers report that attackers
are redirecting their sites to outside web pages that use the
unpatched VML exploit in Internet Explorer to install trojans on
computers of users. Site owners said iframe code inserted into their
web pages was redirecting users to the malware-laden pages.

HostGator general manager Jason Muni told Security Fix that attackers
had "reconfigured an unknown number of Web sites hosted on the
company's servers to redirect visitors to a third-party Web site that
tried to load the IE exploit." Muni said the company reconfigured all
of its 200 servers to address the problem. But as of 5:30 pm EST
Friday, some HostGator customers were continuing to report that their
sites were compromised and redirecting visitors, indicating the
problems were ongoing.

(so much for "safe hex")

-------------

Can someone comment as to the use or popularity of VML on the
internet?  Say, for example, for "mission critical" web uses such as
to buy tickets, web-banking, etc.

Also, wouldn't any browser call vgx.dll when presented with an XML
file or code?

I did a search of my IE cache to look for any files with the
occurrance of the string ".vml" (but found nothing).  Same with
looking for any file with .VML extension.  Perhaps that is not the
correct way to look for VML code (and if not, what is?).

How can the internet be searched for content that contains references
to VML files or contains VML code?

Re: Windows 98 and MSIE VML exploit


|
| Is there any hard evidence that vgx.dll for Win-98 (when used in
| conjuction with IE-6) is vulnerable to the currently circulating
| exploit?
|
| I know that Win-98 is mentioned in various laundry lists, but I'm
| looking for a statement along the lines of "Win-98 has been tested and
| has been confirmed to be vulnerable".  I don't expect any such
| statement to come from Meekro$haft, but some third party expert or
| analyst might.
|
| Background:
|
| http://www.counterpane.com/exploit-MSIE_Zero-Day_VML.html
|
| Work-around (this should work for Win-98 and remove the vulnerability
| if indeed it does exist):
|
| ----------
|
| Click Start, click Run, then type
|
| regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
|
| and then click OK.
|
| A dialog box appears to confirm that the un-registration process has
| succeeded. Click OK to close the dialog box.
|
| Impact of Workaround: Applications that render VML will no longer do
| so once Vgx.dll has been unregistered.
|
| To undo this change, re-register Vgx.dll by following the above steps.
|
| Replace the text in Step 1 with regsvr32
| "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
|
| -----------
|
| Origin of this exploit:
|
| ISP HostGator had its servers hacked last week to spread the VML
| exploit. HostGator says hackers compromised its servers using a
| previously unknown security hole in cPanel, the control panel software
| that is ->widely used by hosting providers<-. "I can tell you with all
| accuracy that this is definitely due to a cPanel exploit that provides
| root access and all cPanel servers are affected," said HostGator
| system administrator Tim Greer. "This issue affects all versions of
| cPanel, from what I can tell, from years ago to the current releases,
| including Stable, Release, Current and Edge."
|
| Hackers have hijacked a large number of sites at web hosting firm
| HostGator and are seeking to plant trojans on computers of unwitting
| visitors to customer sites. HostGator customers report that attackers
| are redirecting their sites to outside web pages that use the
| unpatched VML exploit in Internet Explorer to install trojans on
| computers of users. Site owners said iframe code inserted into their
| web pages was redirecting users to the malware-laden pages.
|
| HostGator general manager Jason Muni told Security Fix that attackers
| had "reconfigured an unknown number of Web sites hosted on the
| company's servers to redirect visitors to a third-party Web site that
| tried to load the IE exploit." Muni said the company reconfigured all
| of its 200 servers to address the problem. But as of 5:30 pm EST
| Friday, some HostGator customers were continuing to report that their
| sites were compromised and redirecting visitors, indicating the
| problems were ongoing.
|
| (so much for "safe hex")
|
| -------------
|
| Can someone comment as to the use or popularity of VML on the
| internet?  Say, for example, for "mission critical" web uses such as
| to buy tickets, web-banking, etc.
|
| Also, wouldn't any browser call vgx.dll when presented with an XML
| file or code?
|
| I did a search of my IE cache to look for any files with the
| occurrance of the string ".vml" (but found nothing).  Same with
| looking for any file with .VML extension.  Perhaps that is not the
| correct way to look for VML code (and if not, what is?).
|
| How can the internet be searched for content that contains references
| to VML files or contains VML code?

Yes.  It is an Internet Explorer problem and thus vulnerable.

As for unregistering the DLL under Win9x/ME...

%CommonProgramFiles%  is an evironmental variable not available under Win9x/ME.

You'll need the FULL path...

regsvr32 /u "C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.DLL"


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Windows 98 and MSIE VML exploit


Quoted text here. Click to load it

The newgroup microsoft.public.security.virus
may put you in touch with the right specialists.

--
Don Phillipson
Carlsbad Springs
(Ottawa, Canada)




Re: Windows 98 and MSIE VML exploit


Quoted text here. Click to load it

<SNIP>

I've seen some of your posts and you seem to be a pretty smart
guy. WHY do you insist on using IE? It's the most dangerous
piece of software in the world. Get Opera, move vgx.dll into a
"storage" directory in case something doesn't work without it,
and forget it.

I use Opera with 95B, don't even HAVE vgx.dll and everything
works just fine. Not to mention I NEVER have to get any updates
or patches.

Re: Windows 98 and MSIE VML exploit

thanatoid wrote:
Quoted text here. Click to load it

Maybe he, like millions of others need IE to access their Financial sites.
Instead of belittling people who use IE, just give your _opinion_ that you
think XX is better and shut up.



Re: Windows 98 and MSIE VML exploit



|
| Maybe he, like millions of others need IE to access their Financial sites.
| Instead of belittling people who use IE, just give your _opinion_ that you
| think XX is better and shut up.
|

I agree here.  There are MANY reasons why IE is required to access specific web
sites.
Often, content is NOT the same with Opera, FirFox and others.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Windows 98 and MSIE VML exploit


Quoted text here. Click to load it

That, my little webloids, is because MS ignores most
international laws and standards (in this case, web site
construction conventions) and MS web-building software
(regrettably, used by MANY) puts in "special" code which makes
those sites appear "different" or "bad" depending on what other
browser one DARES to use other than IE. The real *content*,
depending on your definition of that, is still there regardless
of the browser.

Re: Windows 98 and MSIE VML exploit

Damian AKA nospam@rabid-dog.net in alt.comp.anti-virus on
9/24/2006,after much thought,came up with this jewel:

Quoted text here. Click to load it

I don't know about all that. My bank's web site stated that IE is
needed but Firefox works just fine. The only reason for using IE may be
that the site uses Active X-I don't like that idea!

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u /
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.

Re: Windows 98 and MSIE VML exploit

What's in a Name? wrote:
Quoted text here. Click to load it

Fine. My Bank site needs IE, and I'm not afraid of Active-X. You keep using
FF, I'll use IE.



Re: Windows 98 and MSIE VML exploit

chrisv AKA chrisv@nospam.invalid in alt.comp.anti-virus on
9/24/2006,after much thought,came up with this jewel:

Quoted text here. Click to load it

For you IE is good because you know enough(let's hope so) to keep your
system from being hijacked. IMHO the average user needs to stay away
from IE as much as possible.

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u /
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.

Re: Windows 98 and MSIE VML exploit


Quoted text here. Click to load it

I can access my bank JUST FINE with Opera. Research before you
speak.
No to mention that what I wrote WAS my opinion. (I guess I was
not informed via the usual channels that I am now Supreme
Overlord of the Universe. Thanks for the promotion.)

Re: Windows 98 and MSIE VML exploit

thanatoid wrote:
Quoted text here. Click to load it

Just because YOU leap before you look, don't assume everyone is as stupid as
you.


Quoted text here. Click to load it



Re: Windows 98 and MSIE VML exploit


Quoted text here. Click to load it

I wasn't even going to reply to someone who is obviously
mentally impaired, but I will. Sigh.

You DO realize that:

a)
you comment makes NO sense at all (unless you live in the
Bizarro world)?

b)
that EVERYONE except the sheep who continue to use IE knows who
the stupid ones really are?

Re: Windows 98 and MSIE VML exploit

thanatoid wrote:
Quoted text here. Click to load it

BWAHAHAHAHAHJAH!!!  You fucking mentally impaired nong.

Quoted text here. Click to load it

You were told twice that IE was needed for some financial sites. Because
YOUR bank site doesn't require IE, you accused everyone of being an idiot.
Now _THAT_ is what "makes NO sense at all."

Quoted text here. Click to load it

You still don't grasp what you're being told, do you. I wouldn't have
thought it possible, but you have got to be stupider than Dustbin Kook!



Re: Windows 98 and MSIE VML exploit

thanatoid AKA waiting@the.exit.invalid in alt.comp.anti-virus on
9/24/2006,after much thought,came up with this jewel:

Quoted text here. Click to load it

That's Supreme Chancellor of the Universe
(Overlord position is still open to nominations)

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u /
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.

Re: Windows 98 and MSIE VML exploit

People, can we stick to my questions for a minute?

Dave, yes thanks for correcting the syntax for unregistering vgx.dll
for 98.

But still -

Quoted text here. Click to load it

Isin't it more of a "vgx.dll" problem?

I want to know if the windows-98 version of vgx.dll has the same
vulnerability or exploitability as the NT/XP version.

I also want to know how everyone can be so sure that other browsers
aren't vulnerable.  How is it known that Opera or Netscape doesn't
perform calls to vgx.dll?  Are they known for not being able to handle
VML?

Lastly, can someone comment as to the popularity (or even necessity)
of VML?  Where is it used?  What will I be missing if I unregister
vgx.dll?

If you've browsed some sites with VML content, would you have .VML
files in your browser cache?

Re: Windows 98 and MSIE VML exploit

98 Guy wrote:
Quoted text here. Click to load it

No.



Re: Windows 98 and MSIE VML exploit


Quoted text here. Click to load it

NO!

Quoted text here. Click to load it

I have 98SE WITH IE5 installed (this 2nd computer is NOT
connected to the internet and I only installed IE to read .chm
help files) and it does not have vgx.dll. I would guess it
either came with IE6 or one of those "patch one problem, create
three new problems" updates.

Google to find out about the 8-year old VML standard submission
to w3.org.

To find out just how INCREDIBLY important a development it is,
see
http://www.grapl.com/vmlnotes/introduction/vml_and_svg_compared .
htm

The vgx.dll problem was first discovered about 2 years ago. I
imagine that file affects the manner in which IE handles wml
objects which can allows a hacker - or Microsoft - to take over
your computer.

Quoted text here. Click to load it

Who the fuck cares? If you're running IE, you're running the
biggest virus and trojan there is. You are defenseless. Period.

FWIW, it affects 98 and up with IE6SP1 which you would know if
you took the trouble to go to
www.microsoft.com/downloads/details.aspx?FamilyID=B0095851-674D-
4357-868C-DD75D88405EC&displaylang=en

Quoted text here. Click to load it

As I said, I use Opera on Win 95B, do NOT have that file
ANYWHERE on my system (Opera DOES have a wml.css file) and
everything works just fine.

Maybe if you read up a bit on vector graphics you would
understand why this is basically totally pointless technology to
begin with, unless you are doing real-time advanced vector
graphics work for major corporations which have offices all over
the world. Even then, just sending zipped files to everyone
would be faster and better, IMO.

Quoted text here. Click to load it

See above.


IE stores EVERYTHING. There are browsers that store NOTHING
unless you tell them to. Take your pick.

Re: Windows 98 and MSIE VML exploit

98 Guy wrote:
Quoted text here. Click to load it


Well, Internet Explorer in 98SE does not even have an option for
disabling binary and script behaviors like XP has so I doubt it is even
affected.  Just to be on the safe side I am continuing to use Mozilla
Firefox on all three of my operating systems.  (98SE, XP Pro. and
Windows Vista Ultimate 32 bit)  In XP Pro. the binary and script
behaviors has been disabled in the Internet Options as a precaution in
my home computer and work computer and the word has gone out to disable
all binary and script behaviors on all work machines until a patch is
made available.  Using an alternative browser such as Mozilla Firefox or
Opera just makes a lot more sense these days since then you don't have
to deal with the weakness of Microsoft's browser which seems a lot
weaker in security than the rest of the operating system.

Follow these steps:

Quoted text here. Click to load it
disable Binary and Script Behaviors in the Internet and Local Intranet security
zone

the rest are common sense including not following unsolicited web links,
disabling active scripting, reading and sending email in plain text that
thankfully Gary S. Terhune, MVP has been a great fan of to help keep us
all safe, and finally classic is best of course and show all those files
boys and girls -- Configure Windows Explorer to use Windows Classic Folders


courtesy of > http://www.kb.cert.org/vuls/id/416092
Quoted text here. Click to load it


Yet another recent highly critical advisory -- this one affects Active X
in Internet Explorer so use Mozilla Firefox as a solution and disable
binary and script behaviors in appropriate operating systems for
previous vulnerability like in XP.


Quoted text here. Click to load it

Both of these vulnerabilities get the highest critical rating that
secunia gives which is extremely critical so play it
safe in Internet land.

Just to make things interesting ---- Apple has a recent highly critical
vulnerability with users using Airport -- see:
Quoted text here. Click to load it

Mozilla Firefox -- open source joins the vulnerabilities also so make
sure you are using the latest version 1.5.0.7 or you are putting your
system at a highly critical risk

Quoted text here. Click to load it


Finally, my field is having some action.  Fantastic now I can see what
the mean people are up to and how they are trying to take over user's
systems.  I don't want people's system(s) to be taken over but all these
critical advisories sure make things interesting when one focuses on the
security aspects of computers.  Have a nice day and play it safe out
there everyone.

<information stored via text document and looking forward to responses>

Re: Windows 98 and MSIE VML exploit


Quoted text here. Click to load it

Go to this link, read the article, and then keep on happily
using your browser of choice... (chortle).

http://www.internetnews.com/security/article.php/3633856

Site Timeline