| By Susan Bradley |
I’m flattered when folks say they don’t patch their systems until they read my column, but this month I’d rather you read Chris Mosby’s column first.
With all the unpatched issues that arise with IE, it’s not enough to be “fully patched” with Microsoft’s latest fix (MS06-055), you also need to install workarounds when you hear of them. Fixing recent Microsoft patches — for example, the two-week-old MS06-049 — is also essential, as I describe below.
MS out-of-cycle patch stops IE VML attack
A zero-day Internet Explorer attack involving Vector Markup Language (VML) images was patched on Sept. 26 with Microsoft’s release of MS06-055 (925486). Since the Redmond company hadn’t initially promised to issue this patch before Oct. 10, a lot of us admins used workarounds to ensure that our machines were protected. Now that the patch is out, I’ve started gradually removing the mitigations and testing the patch for effectiveness.
If you can’t install the patch for some reason, I’ve made two tutorials for Windows Secrets readers, complete with numerous screen shots. These tutorials illustrate how admins can carry out the Group Policy workaround that Brian Livingston mentioned in his article in the Sept. 22 news update:
• To work around the VML issue, see my VML tutorial.
• To work around both the VML and DAXCL issues, see my GPO script tutorial.
Now that MS06-055 has been issued, you can undo the VML workaround. It’s important to note that 055, however, does not close the DAXCL hole, which involves the Microsoft DirectAnimation Path ActiveX Control. See the "Suggested Actions" section of MS security bulletin 925444 for workarounds to stop that threat.
To undo the VML trick, follow the instructions at the bottom of each of my tutorials. Also review the technique on Jesper Johansson’s Sept. 26 blog post.
Now that the official VML patch is out, I have options. Because the workaround is in place on my machines, I can patch whenever I wish. The patch just came out on Tuesday — and the side-effects of the workaround are slight, since few legitimate Web sites use VML images. So I think I’ll wait a bit to install the patch.
The 055 patch does not mandate rebooting. But I found on one test machine that when I launched Sharepoint (Microsoft’s shared-document Web site platform), closing IE threw off an error. Rebooting the workstation cleared up the issue.
For any of you who have not used the workaround to deregister the vulnerable DLL or change its ACL setting, by all means, do use the regsvr32 workaround (as described in Brian’s Sept. 22 news update) or install MS06-055 as soon as possible. The exploit code is being used in a number of Web sites and banner ads to infect workstations with malware.
Notice: I’ve learned that Microsoft also issued a “Windows Genuine Advantage update” out-of-cycle on Sept. 26. But I can find absolutely no information about the update or what it does. Would Microsoft please document these things in advance?
Fix prevents MS06-049 from mangling files
For those of you who use and run Windows 2000, I want to ensure you’re aware of a much needed patch to a patch.
Installing MS06-049 (921883), which was released on Sept. 12, damages any files larger than 4KB that are written to NTFS compressed folders on Windows 2000 machines. You might think, “No problem, we don’t use compressed folders,” right?
Wrong. We all use compressed folders. Every time you install a security patch on a machine, the uninstall information — which you may desperately need someday — automatically goes into a compressed folder.
Microsoft released a hotfix on Sept. 26 to correct MS06-049′s data-corruption problem. It’s downloadable from KB article 925308. Without the fix, you risk not being able to undo a patch — and not being able to retrieve any other file you may write to a compressed folder.