Jump to content

Internet Explorer Critical Vulnerability

Petr

By Petr
in Windows 9x Member Projects

 Share

Recommended Posts

Petr

Petr

Posted
Posted

There is new critical vulnerability in vgx.dll that also applies to IE on Windows 9x.

Microsoft published this Security Advisory (925568)

ZERT created an unofficial patch: http://isotf.org/zert/download.htm

I have tested that fully patched IE 6.01SP1 on Windows 98 SE will crash.

I have not tested other version of IE and other version of Windows.

The ZERT patch does not work on Windows 98 but probably it could be possible to use it on Windows 2000 and copy the patched file to Win9x.

Petr

Link to comment
Share on other sites

noguru

noguru

Posted
Posted (edited)

Well you can simply rename or delete it, also when Windows+IE is running. A registry checker will find it missing, so the unregistering failed indeed, but that's all I have noticed so far. Perhaps that a infected site can crash a browser because of this but that's better than downloading trojans.

The test on the ZERT site says I am not vulnerable now after renaming vgx.dll, before that it didn't do anything on my system with the Maxton browser (based on IE engine), no crash just a blank page.

I must say that I expected much more response in this topic because this vulnerability is a nasty one. Just visiting a wrong site can get you into trouble. No user interference needed! The number of bad sites is rising:

http://www.techweb.com/wire/security/193004128

Microsoft denies that it is this serious but is considering to release a patch outside the normal patch-cycle anyway :)

Edited by noguru
Link to comment
Share on other sites
oscardog

oscardog

Posted
Posted (edited)
Well you can simply rename or delete it, also when Windows+IE is running. A registry checker will find it missing, so the unregistering failed indeed, but that's all I have noticed so far. Perhaps that a infected site can crash a browser because of this but that's better than downloading trojans.

The test on the ZERT site says I am not vulnerable now after renaming vgx.dll, before that it didn't do anything on my system with the Maxton browser (based on IE engine), no crash just a blank page.

I must say that I expected much more response in this topic because this vulnerability is a nasty one. Just visiting a wrong site can get you into trouble. No user interference needed! The number of bad sites is rising:

http://www.techweb.com/wire/security/193004128

Microsoft denies that it is this serious but is considering to release a patch outside the normal patch-cycle anyway :)

I think if you must use I.E it is imperative to disable active scripting to disable javascript,vbs and activex,adding only sites you require in the trusted zone. I would also disable vbs via file association as any standard security feature. Unfortunately it seems they are going to bypass even this temporary defense shortly so use Firefox as a browser in the interim or a live cd

LinkScanner http://linkscanner.explabs.com/linkscanner/default.asp

Edited by oscardog
Link to comment
Share on other sites
sam13484

sam13484

Posted
Posted

Thanks for helping to circulate this unofficial IE925568 patch. I probably would have missed it in the original post. The work these "patch hackers" do is really appreciated by those of use still running 98/Me machines.

I installed the patch and checked out the test page. My IE6SP1 browser running under Windows Me passed without any problems at all.

We should have some kind of mailing list that will keep everyone in the loop when it comes to unofficial patches and upgrades.

Link to comment
Share on other sites
Guest smok3yjoint

Guest smok3yjoint

Posted
Posted (edited)
:thumbup outstanding i grapped the vgx patch for xp from zert 2 days ago but im happy 2 see u got 9x covered u guys are awesome ,now this what a forums all about working to improve a os any os well done. Edited by smok3yjoint
Link to comment
Share on other sites
MDGx

MDGx

Posted
Posted (edited)

Here are all official [+ unofficial 1 created using official VGX.DLL from official Win2000 SP4 fix] VGX.DLL patches:

http://www.mdgx.com/ietoy.htm#VGX

* Microsoft Internet Explorer 5.01 SP4/6.0/6.0 SP1/6.0 SP2 for Windows 98/98 SE/NT4 SP6a/2000/ME/XP/2003 Vector Markup Language (VML) VGX.DLL Security Vulnerability Fix (English):

http://www.microsoft.com/technet/security/...n/ms06-055.mspx

- MS IE 6.0 SP1 Patch for Windows 2003/2003 SP1/2003 R2 [892 KB]:

http://download.microsoft.com/download/a/3...486-x86-ENU.exe

- MS IE 6.0 SP2 Patch for Windows XP SP2 [784 KB]:

http://download.microsoft.com/download/9/b...486-x86-ENU.exe

- MS IE 6.0 SP1 Patch for Windows XP SP1 [803 KB]:

http://download.microsoft.com/download/9/d...sXP-x86-ENU.exe

- MS IE 6.0 SP1 Patch for Windows 2000 SP4 [1.42 MB]:

http://download.microsoft.com/download/3/b...000-x86-ENU.exe

- MS IE 5.01 SP4 Patch for Windows 2000 SP4 [1.22 MB]:

http://download.microsoft.com/download/c/b...sp4-x86-ENU.exe

- Unofficial MS IE 6.0/6.0 SP1 Patch for Windows 98/98 SE/NT4 SP6a/ME [1.03 MB]:

http://www.mdgx.com/files/IE925486.EXE

More info:

http://www.isotf.org/zert/

Test VML:

http://www.isotf.org/zert/testvml.htm

the_guy:

Unofficial IE925486.EXE installs on 98FE, 98SE, ME + NT4, only with MS IE 6.0 or 6.0 SP1 installed.

HTH

Edited by MDGx
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...