A newly revealed Internet Explorer flaw received an extraordinary amount of news coverage.
The vulnerability was widely reported, mostly because the U.S. Department of Homeland Security’s Computer Emergency Readiness Team had issued an alert.
|UPDATE: Microsoft has released KB 2964358 (MS14-021), a critical IE update for all workstation versions of Windows — including Windows XP SP3. Note: According to the release notes, IE will crash on Win7 systems if the update is installed before KB 2929437.|
The many headlines about KB 2963983 took me by surprise. To date, there have been only limited attacks using this exploit — no more than we often see with a typical zero-day threat. Moreover, for every successful zero-day exploit we know about, others go undetected.
According to Microsoft Security Advisory 2963983, this latest remote code-execution threat exploits a flaw in the way IE handles objects in memory. The exploit affects IE Versions 6 through 11. Until an official patch is released, the advisory lists ways to mitigate the threat — including using Enhanced Mitigation Experience Toolkit 4.x.
This might be the first instance of an MS security posting that doesn’t mention Windows XP — now that the OS is no longer officially supported. XP users must keep in mind that Microsoft won’t release an official XP patch for this exploit. (This is only the first of numerous unpatched items we will see for XP.)
As part of a defense against this zero-day threat, I recommend that XP users unregister vgx.dll. (Vista, Win7, and Win8.x users can apply this method, too.) Here’s how:
- Open a command window (click Start/Run and enter “cmd“).
- At the command prompt, enter:
regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”
- On 64-bit Windows (Vista, Win7, and Win8.x), add the following command:
regsvr32 -u “%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll”