The fuss about a new lE zero-day vulnerability

Topic

New Reply

	PATCH WATCH The fuss about a new lE zero-day vulnerability
	By Susan Bradley A newly revealed lnternet Explorer flaw received an extraordinary amount of news coverage. The vulnerability was widely reported, mostly because the U.S. Department of Homeland Security’s Computer Emergency Readiness team had issued an alert.

---

The full text of this column is posted at windowssecrets.com/patch-watch/the-fuss-about-a-new-ie-zero-day-vulnerability/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Good info but I have a question about vgx.dll. The recommendation is to disable it via the registry but I wonder if we could just delete it instead?

Reply | Quote

Hello,
I followed the instructions, got the message and added the vmlmaker.com site to IE’s Compatibility View List. Now, I get an office layout instead of a blank page. Is this normal?
Thanks!

Reply | Quote

Susan –
I hope you’re planning to cover the broader Heartbleed issue – in hardware. HP My Cloud and a number of hardware firewalls and routers use the broken version of OpenSSL. They’ll need to be updated manually or replaced. Linksys is fine but some Cisco devices are not.
http://www.wired.com/2014/04/heartbleed_embedded/

Reply | Quote

Ernie- if you delete a system DLL, it will get restored the next time you do a repair or other Windows maintenance routine.
Not a good practice to delete Windows components anyway.

Reply | Quote

Yes to David will do. Good topic.
As far as this dll, Microsoft released an out of band (out of cycle) IE update so I’ll urge you to do that instead.

Reply | Quote

HP mycloud or WDMycloud? I think you mean WD?

Reply | Quote

[GUIDE] Patch the Heartbleed OPENSSL vulnerability – WD Community:
http://community.wd.com/t5/WD-My-Cloud/GUIDE-Patch-the-Heartbleed-OPENSSL-vulnerability/td-p/718234

And they just released an update for WD.

Reply | Quote

When I check Windows Update this afternoon, auto update installed KB 2964358 for IE 11 for Windows 7 for x64-based systems. Does this mean that the vulnerability is patched? Thanks.

Reply | Quote

When I check Windows Update this afternoon, auto update installed KB 2964358 for IE 11 for Windows 7 for x64-based systems. Does this mean that the vulnerability is patched? Thanks.

Yes: Security Update for Internet Explorer

Reply | Quote

Win7 32 bit, IE10: I do not get a blank page — just the VMLMaker page.

Win7 64 bit, IE11: I get the page with the “A VML capable …” message but can not add VMLMaker.com to the compatibility table (it disappears after adding or restarting IE).

In both cases the regsvr32 -u command returned a “success” panel.

Reply | Quote

Win7 32 bit, IE10: I do not get a blank page — just the VMLMaker page.

Win7 64 bit, IE11: I get the page with the “A VML capable …” message but can not add VMLMaker.com to the compatibility table (it disappears after adding or restarting IE).

In both cases the regsvr32 -u command returned a “success” panel.

Me too ~ same process ,and same results. An I protected or not? :confused:

Reply | Quote

As Susan suggests in her column, the threat from this bug was overblown by the mainstream media, to begin with. But I told anyone who asked that I believed Microsoft would issue a patch for XP users in this case, and for several different reasons:

1. Microsoft once upon a time (remember?) tried to claim that IE was an integral part of the OS. They failed to make their case. If you still have an XP machine, click Control Panel>Set Program Access and Defaults; there you will be able to discard IE as your “default” browser. They were required to add that capability and did so in one of the XP Service Packs. All later editions of Windows have similar settings (in WIN 7 it’s called “Default Settings.”) Therefore, a bug in IE is technically not (very possibly as a matter of case law) an operating system flaw, but rather an application flaw. That gives Microsoft an opening to patch the flaw without actually circumventing the end of their support for WIN XP. Furthermore, just because ongoing support has ended, that does not mean Microsoft–out of the goodness of their hearts–cannot issue future XP patches on an ad hoc basis if they deem it in their own best interests.

2. The latest version of IE for WIN XP was 8. IE8 was also included with WIN 7 very early on. So how could they claim they are issuing a patch for IE8 for WIN 7 users, but not for WIN XP users? Think about that for a minute, especially in light of the first point raised above. Is it an application or not? Do they want to litigate that issue again?

3. Can you imagine how many lawyers and politicians there are out there who would love to turn this IE bug into another media circus like the one that befell the morons at General Motors with regard to their crappy ignition switches? Especially coming not even a month after ongoing support for WIN XP ended, with 100s of millions of computer users still working with XP machines! (Confession: I still use an old XP-based Dell desktop to print snapshots. My old HP scanner and printer do not have 64-bit drivers, so I cannot attach them to my newer machines. They still work fine for limited use.)

Conspiracy theorists are already claiming that Microsoft managed to squelch publicity about this bug until after support ended so they could frighten people even more so into upgrading or buying new hardware. How would you like to be a Softie on a witness stand trying to explain why you are so stupid as to have failed to catch this bug earlier? Can you imagine Ford or Chrysler getting away with announcing that they will not allow any of their models built before 2002 to be fixed and that their owners should get rid of them?

I cannot predict what will happen when the next zero-day IE bug is discovered, but it was very obvious to me that the odds favored a patch for older IE versions in this instance.

Reply | Quote

I am a little confused which is not surprising. I went to the Microsoft download center and searched for KB2929437 and the offers are patches for Internet Explorer 11. I am running Internet Explorer 8, so should I still install KB2929437? (Prior to KB2964358 that is)

http://www.microsoft.com/en-us/search/DownloadResults.aspx?q=kb2929437&First=1&ftapplicableproducts=AllDownloads

I also searched for KB2964444 and the same thing; all for Internet Explorer 11.

http://www.microsoft.com/en-us/search/DownloadResults.aspx?q=kb2964444

So I am confused since I am an Internet Explorer 8 user on a Windows 7 64-bit machine that these patches say Internet Explorer 11.

Reply | Quote

I am a little confused which is not surprising. I went to the Microsoft download center and searched for KB2929437 and the offers are patches for Internet Explorer 11. I am running Internet Explorer 8, so should I still install KB2929437? (Prior to KB2964358 that is)

http://www.microsoft.com/en-us/search/DownloadResults.aspx?q=kb2929437&First=1&ftapplicableproducts=AllDownloads

No.

I also searched for KB2964444 and the same thing; all for Internet Explorer 11.

http://www.microsoft.com/en-us/search/DownloadResults.aspx?q=kb2964444

So I am confused since I am an Internet Explorer 8 user on a Windows 7 64-bit machine that these patches say Internet Explorer 11.

The link in post #11 leads to patch downloads for all IE versions.

You only need Security Update for Internet Explorer 8 in Windows 7 x64 Edition (KB2964358)

Bruce

Reply | Quote

OK, I just got confused as well from Microsoft which says this under the “More Information” section

http://support.microsoft.com/kb/2964358

I checked my system and I do not have KB2929437 installed so when I read this I was wondering.

Reply | Quote

Swatbat
Further to Bruce, I would ask why you’re running IE8 on Win7. That’s years out of date. Patch it yes, but update it too. Especially if you’re using it. Old software is the last thing you want to use for surfing. IE11 is current for Win7.

Reply | Quote

Susan
Oops – you’re right. WD, not HP. An erroneous association from a local supplier.

Any news on problems with the IE update? OK to go?

Reply | Quote

Hello,

On three different Win7 systems all with IE10 installed I have been offered the new update (Security Update for Internet Explorer 10 for Windows 7 x64 Edition (KB2964358)). However, considering the importance of this update and in particular that it is an out-of-band update I am surprised that in all three cases the update is unticked (not automatically selected) in Windows Update. The only ticked update is Security Update for Windows 7 for x64-based Systems (KB2862330), which I have not yet installed in accordance with Susan’s advice.

This makes me suspicious that there is something missing/wrong on my systems and that they are not really ready for the KB2964358 update. On the other hand, it cannot be a question of the presense or not of the KB2929437 update (not installed) as this relates to IE11 and I am only on IE10. :confused:

Has anyone else seen the KB2964358 update as unticked and gotten some experience with it?

Regards,
mo.eu

Reply | Quote

Mine is also unticked. Another reason why I am here since all the KB’s mentioned state they are for Internet Explorer 11 and not the one I have.

@DFB – I.E. is not my primary so I do not use it as much, but I also understand that I.E. is part of the O/S so I update to at least get that part of it.

Reply | Quote

Another reason why I am here since all the KB’s mentioned state they are for Internet Explorer 11 and not the one I have.

I gave you a direct link to the correct update for IE8 on Windows 7 x64:

You only need Security Update for Internet Explorer 8 in Windows 7 x64 Edition (KB2964358)

Reply | Quote

Mine is unticked also, on my home computer. As is my workstation (and several others) at my workplace. What’s up with that? Woody’s advice says if it ain’t ticked, don’t do it. I’m confused. Anyone have advice?

Reply | Quote

The update was finally checked on my computer this morning. Installed without a restart. IE seems to work fine. I don’t use it but I opened it, went to a few sites, seems to be working fine.

My computer is W7 Pro with IE9. The update/patch that installed ends with 4358.

Reply | Quote

The update was finally checked on my computer this morning. Installed without a restart.

I checked my systems tonight, and they were also automatically checked all three. Installed on two without a restart; one to go. I noticed that the update on my PCs said that it was published Yesterday (i.e. 5 May), so Microsoft must have re-published it since the original publication on 1 May.

Reply | Quote

Windows XP users will be included in the IE Zero-Day patch after all.

See Krebs On Security article.

-- rc primak

Reply | Quote