FAQ: What you should know now about the latest IE bug

What's the problem?

A vulnerability newly discovered in Microsoft Internet Explorer could allow an attacker to take over a targeted machine -- even a machine with all its patches up to date.

What's it called?

The Common Vulnerabilities and Exposures list tentatively designates this vulnerability as CVE-2006-4868. McAfee calls it Exploit-VMLFill; Trend Micro calls it EXPL_EXECOD.A; Symantec calls it Trojan.Vimalov, reflecting its probable Russian origin. SecurityFocus assigns it a Bugtraq ID of 20096.

Which programs and versions are affected?

Internet Security Systems reports that the flaw affects all versions of IE that include support for VML, which means versions 5 and 6, though tests so far have generally looked at version 6. There have been no reports of the attack working on IE 7. Recent versions of Outlook and Outlook Express are also vulnerable, as are all versions and service packs for Windows 2000 and XP. (IE on Win2003 runs by default in a restricted mode, in which certain binary and script behaviors are disabled; if those settings have been changed the system may be vulnerable.)

Are Mac, Linux or Unix systems vulnerable? What about Firefox?

No, no, no and no. (Something Firefox aficionados are trumpeting loudly over in the SunbeltBlog comments That's not winning many popularity contests.)

How is the vulnerability exploited?

So far, the exploit has been found in the wild on a handful of Russian sites, mostly porn-related. Propagation is via the usual routes, particularly e-mail, though IM or any service by which an HTML link can be sent will do. Users must click on an HTML link to load the affected document. Outlook or Outlook Express users who automatically open HTML messages are also at risk.

What's the sequence of events?

Security veterans won't be surprised to learn that we have yet another buffer-overflow attack here. The buffer is deluged and overflows, pushing JavaScript shell code into adjacent buffers for execution. The code downloads a piece of malware and saves it to the hard drive as CPU.exe, after which Internet Explorer generally shuts down.

What's the payload?

Depends, but the vulnerability can allow attackers to take complete control of the machine so the potential for mayhem is high. Most attacks so far are recruiting PCs into botnets, presumably to be used for other attacks or malware propagation at a later date. They're also depositing a stunning amount of adware on victimized machines, as Sunbelt researcher Adam Thomas described in a blog posting. The potential for trouble, rather than the current infection rate, is why organizations such as Secunia are concerned at the moment.

When can I expect an official patch?

Microsoft, in a security advisory released yesterday, says it's working on a patch that's in the final stages of compatibility testing. The company expects to release it with the October "Patch Tuesday" set scheduled for the 10th of the month.

That long?!

So far, it doesn't appear that we've got another Windows Metafile zero-day mess on our hands, not least because the vulnerability was apparently obscure for quite some time. (More on the discovery process below.) If things heat up, Microsoft says it'll work to release the patch earlier.

Is that likely?

Chris Mosby's blog says that Web Attacker, the notorious toolkit for Trojans, has been updated to include support for exploiting the vulnerability. Not a good sign.

What can I do in the meantime?

Simply put: Turn off JavaScript execution, since the code inserted in the buffer overflow is a JavaScript. More fully, Microsoft and independent experts are recommending that admins (and users with admin privileges) temporarily unregister vgx.dll, the affected library, with the following command:

&nbsp&nbspregsvr32 -u "%ProgramFiles%\CommonFiles\Microsoft Shared\VGX\vgx.dll"

After the DLL is unregistered, reboot the computer. Once a patch is available, the DLL may be re-registered at your convenience. Security expert Jesper Johansson has posted some useful templates, using Group Policy, for fast fix deployment in Windows domains.

Microsoft says that Windows Live OneCare users who currently have green status are protected from all known malware, and recommends that all users check that their antivirus protections are up to date. Antivirus software that includes protection against buffer overflows appears to protect against the exploit.

If vgx.dll is crucial to your users, the Access Control List for the DLL may be modified to forbid access to the 'everyone' group.

Microsoft suggests those using IE 6 for XP Service Pack 2 can protect themselves by disabling binary and script behaviors in the Internet and Local Internet security zones. Those setting are reached through the Tools --> Internet Options -- > Security --> (zone) --> Active X controls and plug-ins for both zones.

(Several observers have noted that Microsoft is clearly taking the problem seriously, as it's rare for the company to recommend disabling functionality in their products, even temporarily!)

What does vgx.dll do?

Practically speaking, not much. It's a dynamic link library supporting VML, the hypertext markup language that handles the display of vector graphics. The VML proposal has been around since 1998, but it's not very widely used online. It's unlikely that most users will even know it's (temporarily) not supported by their IE browser.

Hasn't vgx.dll been involved in security advisories before?

Good memory. It was indeed one of the buffers affected in certain versions of Windows when the 2004 .jpeg processing buffer-overflow problem covered in MS04-028 was spotted.

Who found the flaw?

Funny you should ask. Sunbelt first noticed the exploit in the wild around noon on Monday and posted the code to a private mailing list of security professionals, who began the vetting process. According to Alex Eckleberry at Sunbelt, this was the first the security professionals on their (closed, vetted) list had heard of the vulnerability. However, Eckleberry found out later in the day that ISS has apparently been aware of the exploit for some time and has been working with Microsoft on a fix; That organization issued an advisory on Tuesday.

Obfuscation? Responsible disclosure?

In the words of Eckleberry, "Whatever." CERT's notes on the situation credit Sunbelt with the find.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Angela Gunn

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?