Jesper's Blog

Obligatory file photo:

Welcome to Jesper Johansson's blog. This is my home for pontification on the web. In case this is your first time here, I have been working on information security for about 20 years, and have been writing and speaking on the topic for about 10.
My most recent book is the Windows Server 2008 Security Resource Kit . Because I am also a scuba instructor you may find some posts related to that topic as well. Just because it took me so long to get it, I also like to say that I have a Ph.D. in Management Information Systems from the University of Minnesota.

VML Patch Is Out - Unapply The Mitigations

The VML patch is out. Microsoft just released MS06-055 out of band.

If you have applied the work-arounds you need to know a few things first though:

This update does not fix the DirectAnimation Path issue. It only fixes the VML vulnerability.

If you have applied the Access Control List (ACL) change mitigation you need to unapply it before you can install the patch. To do that you need to either use the GUI to remove the deny ACL Entry (ACE) for Everyone, or implement a command line way to remove that ACE. The enableVML.inf security template I posted with the first post I wrote on this topic will do it. You can use that in a GPO, or you can use it on the command line with this command
secedit /configure /db foo.sdb /cfg enableVML.inf /log foo.log

Please note that the command given in the security bulletin to remove the ACE does not currently work. It is not structured correctly. To remove the mitigation with a cacls command you can use
cacls %CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll /e /r Everyone

This is what I do in the startup script I posted. However, this command will remove all permissions for Everyone. Ordinarily this would not be a problem, but if you have a system with non-standard ACLs it could cause a problem. This is documented in my other post today.

Finally, if you use the unregistration work-around, as I did in the startup script, you must re-register the DLL to restore functionality. This can be done using the startup script by using the "enable" switch instead of the "disable" switch. Note that unless you modify the script though it will leave you vulnerable to the DirectAnimation Path issue, which is mitigated using the same script.

Published Tue, Sep 26 2006 1:24 PM by jesper

Filed under: Windows Security

Search

This Blog

Home

Community

Syndication

News

The Windows Server 2008 Security Resource Kit is available!
. You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
Or, if you need to know about Vista instead, there is:

If you need a more general approach to help you Protect Your Windows Network, there is a book for that too

There is now a mobile version of the blog.

All postings are copyright Jesper M. Johansson or Steve Riley, in the year they were made. These postings are provided "AS IS" with no warranties, and confer no rights. All postings are the sole opinions of Jesper M. Johansson or Steve Riley and do not reflect any official opinion of anyone else with whom the poster(s) are affiliated or has been affiliated in the past. Use of included code samples is permitted for non-commercial use, with no warranties of fitness express or implied. All use of any information or code snippets posted in this blog at the user's sole risk. The blog site would like to thank www.ownwebnow.com and www.exchangedefender.com for their support.

Powered by Community Server (Commercial Edition), by Telligent Systems