Earlier this week, Microsoft announced another 0-day vulnerability in Internet Explorer that was being exploited in targeted attacks. As expected, this set off a scramble for answers to many questions, the most relevant being: “How can I defend against this exposure?”
Fortunately, Microsoft has moved very quickly and released a security bulletin announcing the availability of a patch to remediate this issue. However, there are often cases when the patch takes much longer to be released, or, due to operational realities, the patch cannot be deployed in a timely manner. When this happens, it’s always good to look at the details surrounding the vulnerability and/or exploit to determine if there’s a way to implement Bit9’s custom rules to mitigate the threat.
It appears that there is a mitiagtion available to Bit9 customers that should provide protection against this vulnerability until the patch can be deployed. The information needed to implement the mitigation is found in one of the workarounds given in Microsoft’s write-up—the unregistering of vgx.dll.
Vgx.dll is a library file used to render VML files. While it appears that IE no longer actually supports VML as of version 9 or version 10, the fact that they are recommending de-registering the dll as a mitigation tactic means that the dll file is a critical piece of the vulnerability or currently circulating exploit. De-registering this dll is likely to be a non-trivial effort to perform on a large installed base, and it will remove all VML functionality on the system. An easier, more targeted way to achieve the same effect is to create a custom rule that will prevent IE from loading the dll in question.
This can be simply implemented by creating a custom rule ‘Execution Control’ that blocks vgx.dll from being loaded by iexplore.exe. If you’ve got 64-bit platforms, and you’re entering the full path to the iexpore.exe or vgx.dll files, remember to include the versions of both under ‘Program Files’ as well as ‘Program Files (x86).’ While it is always a good idea to implement a new rule first as a report rule to better gauge the impact, it is fairly common to see IE loading this particular dll—presumably when VML graphics are encountered on a website, even though, as referenced above, the most recent versions of IE do not support VML.
Creation and deployment of this rule takes only minutes, and VML will still work for other applications that might be installed on the system. In addition, the rule can be disabled quickly and easily after patching. As such, it should be a safe and effective workaround with little risk to the environment until all systems are patched.
Whenever you find yourself faced with a vulnerable situation and no available patch, dig in and see if there’s a way to leverage Bit9 rules to help mitigate. In many cases, a rule can be constructed to mitigate the issue, and you can get a good night’s rest.