As if Heartbleed Wasn’t Enough, Here is Another Emergency:

Please forward this to your IT Techs immediately. As with Heartbleed, this is a vulnerability that attackers are already using against you and nobody knew until right now. These are called “zero-day attacks.”

This blog is aimed at non-technical executives and owners, and this “technical” release is so that you can forward this to your IT Pros. Forward it to every one you care about “not getting hacked” because you and they may already be.

The good news is – you can “turn off the vulnerability” like a light switch.

Credit for this alert goes to our resident Citrix and VMware “Virtualization Guru.” He explains:

A security flaw has been found in all versions of Internet Explorer and this flaw has already been exploited by cyber criminals. At this time, no patch has been provided by Microsoft.

This excerpt from the Microsoft article explaining the exploit provides the pertinent facts:

“…The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website…”

Customers should protect their own Windows computers from this flaw by following these steps:

  • Open a Command Prompt window (hold the Windows key on your keyboard and type “r”, then type CMD in the “Open:” box
  • keyboard

    run

  • In the Command Prompt window that opens up, type the following (it’s probably easiest to copy and paste from this blog): regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

CMD

As mentioned before, Microsoft has not made public a patch to fix the bug. When a patch is made available, install the patch and then reverse the above command, running cmd admin, by re-registering the vgx.dll file: regsvr32 “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

Please post your comments below….


11 Comments

  • Mike Foster April 28, 2014 at 1:38 pm - Reply

    And, before you beat me to it, yes – Firefox, Chrome, and Safari aren’t susceptible to the same vulnerability. So, should you switch? Why not – I use all four. But does switching guarantee security? No way. Just Google “Firefox breach.” Use whichever one your IT Pros want you to use since they will be most familiar with supporting their favorite. Some people will argue that Microsoft detects bugs faster than some other organizations. Personally, I just disable flash and know it makes me more secure. Be sure to see this article as well: https://www.fosterinstitute.com/blog/is-your-guardian-angel-tranquilized/

  • Bernie Perry April 28, 2014 at 7:05 pm - Reply

    Hi Mike,

    As always thanks for the tip. Just a comment though. I first thought you meant we should press Return when “CMD” showed up and then enter the code you provide in the window that opens. As you no doubt know that doesn’t work. I finally concluded that you probably meant we should replace “CMD” with what you provided. When I did that I got a message saying whatever I did succeeded.

    One question – after we do this is it okay to use IE?

    Bernie

    • Mike Foster April 29, 2014 at 3:48 pm - Reply

      Yes, you can then use IE. That temporary patch will alleviate the danger from this particular vulnerability.

  • Bernie Perry April 29, 2014 at 7:12 am - Reply

    Hi Mike,

    I just read this morning that another fix is to disable Flash in IE. Do you agree that is a viable temporary fix?

    Thanks … Bernie

    • Mike Foster April 29, 2014 at 3:54 pm - Reply

      Yes, it is reported that disabling Flash is a viable work-around. Most people wouldn’t disable Flash for fear of content they will miss when visiting sites. Personally, I don’t use Flash at all (on purpose) to help avoid dangers just like this one. Additionally, you can use settings in IE that will allow Flash on some of your trusted sites and disable Flash on others as you read in: https://www.fosterinstitute.com/blog/is-your-guardian-angel-tranquilized/

  • Mike Foster April 29, 2014 at 4:02 pm - Reply

    Here is a great question Chuck, an executive, asked: “What does that fix accomplish? What does it do to my system?”

    What the fix does is to temporarily disable the ability to display code called VML, “Vector Markup Language.” Technical answer I know – but you asked 😉

    The attack you are preventing takes advantage of a “security hole” in the VML code. Thus, by disabling the ability to process VML, the security hole goes away.

    You shouldn’t notice any negative effects, and if you do, you can always re-enable VML as described above: reverse the above command, running cmd admin, by re-registering the vgx.dll file: regsvr32 “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

    That’s normally the kind of thing and IT Pro would do for you and for an organization. Executives needn’t get involved at such a technical level in most cases.

  • Aron Eisold April 30, 2014 at 1:38 pm - Reply

    Mike,

    We decided to move forward with the installation of the Microsoft Enhanced Mitigation Experience Toolkit or EMET version 4.1 within our organization to help mitigate this vulnerability. This may help us further long-term with any other potential zero-day attacks.

    -Aron

    • Mike Foster May 1, 2014 at 10:36 am - Reply

      Hooray Aron! EMET is a wonderful tool that I suggest everyone install. I’ll be publishing a newsletter / blog entry about EMET soon. Thank you for sharing such encouraging news! You are helping make the world a more safe place to work and live

  • Mike Foster May 1, 2014 at 10:38 am - Reply

    Jack, an executive just sent:

    A colleague forwarded the information in your ” As If Heartbleed Wasn’t Enough . . . ” blog, which I passed along to my web geeks. They wrote back:

    There is a new IE security flaw:
    http://www.usatoday.com/story/tech/2014/04/28/internet-explorer-bug-homeland-security-clandestine-fox/8409857/

    Even Homeland security advises not to use IE.

    I would NOT recommend that you execute the given code in the e-mail you got. But the e-mail seems informational about the flaw.

    Yes, the article your web guys refer to, http://www.usatoday.com/story/tech/2014/04/28/internet-explorer-bug-homeland-security-clandestine-fox/8409857/ starts out saying, “The U.S. Department of Homeland security is advising Americans not to use the Internet Explorer Web browser until a fix is found”

    I interpret what your team is saying as: “Don’t use IE. Then there is no reason to patch IE since you won’t use it anyway.” Right on!

    Some people need to use IE, so they are the ones who need to apply the fix. Eventually (soon we hope) Microsoft will release a patch that will make the fix so much easier and, in some cases, automatic for everyone 🙂

  • Mike Foster May 1, 2014 at 11:01 am - Reply

    To avoid inundating our subscribers with email messages, we aren’t sending out a post about the big problem with Adobe Flash for which Adobe’s already released a patch: http://helpx.adobe.com/security/products/flash-player/apsb14-13.html

    Hopefully all the IT Pros at companies whose executives subscribe to our newsletter have applied the patch already. Now is a good time to remind all the executives you know to remind their IT Pros just in case…

  • Mike Foster May 1, 2014 at 5:12 pm - Reply

    ATTENTION: Microsoft has released a patch! And the patch will even work on Windows XP (Microsoft said they weren’t going to support XP any longer).

    First, please notify your IT Professionals immediately (just in case – they may already know).

    Second, forward this to all the people you know who you care about.

    For your own personal machines, the patch will eventually show up as long as your “automatic update” feature is enabled. If you want the patch sooner, then GO HERE: windowsupdate.microsoft.com

    And if you want to be sure you’ve automatic updates Microsoft tells you how https://support.microsoft.com/kb/294871

Leave a Reply

Your email address will not be published. Required fields are marked *