I will update this and my Blog as more info becomes available.

In the meantime, you can safeguarg your computer by switching to Firefox as your browser, and/or reducing the user privileges on your daily browsing account.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

Excerpt

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.

Read the full Microsoft Advisory and suggested workarounds here.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

Until Microsoft releases a patch for the VML vulnerability the best way to protect yourself is to unregister the VML DLL on your computer. I have provided the details about how to do that on my blog entry about the VML exploits.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

I thought I would pass this one on to the SGF membership, in addition to the strong suggestion to unregister vgx.dll. Here is what else you can do to mitigate this exploit (in addition to unregistering vgx.dll):

Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.

You can help protect against this vulnerability by changing your settings to disable binary and script behaviors in the Internet and Local intranet security zone. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.

2. Click the Security tab.

3. Click Internet, and then click Custom Level.

4. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.

5. Click Local intranet, and then click Custom Level.

6. Under Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.

7. Click OK two times to return to Internet Explorer.

Impact of Workaround: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly.
==========================================
Additionally, if you use Outlook or Outlook Express to receive email your should change the options to read email as plain text, instead of HTML/Rich Text, and turn OFF the Preview Panel. The reason for this is because Outlook (Express) uses the Internet Explorer rendering engine to display HTML content in email messages, and if you have not unregistered the VGX.dll and receive an infected message by email your computer may be taken over instantly, when you view the content of that message. Tricked email messages are being sent out by the tens of thousands right now!

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

[This message was edited by Wiz Feinberg on 23 September 2006 at 10:52 AM.]

To un-register Vgx.dll, follow these steps:

1. Click Start, click Run, type regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll", and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, after a patch has been released and applied, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with this:

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

I have re-posted the re-register code after finding a problem with the original one that I got from the Microsoft Advisory page. Imagine that!

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

[This message was edited by Wiz Feinberg on 26 September 2006 at 07:34 PM.]

If the patch does not appear right away keep trying through the day and evening, until you get it. If you have automatic updates turned on you should receive the patch today.

It might be a good idea to set a restore point just before you install the VML Patch, just in case it breaks something else.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. My FAQs.

thanks for your invaluable help in this part of the forum.

I have downloaded the update ...

but when I tried to re-register the vgx.dll as per your previous post, I got a message " the specified module could not be found"

is the re -register link (which I copy/pasted) above accurate, or do I maybe have some other problem

thanks again
Michael

[This message was edited by Michael Dene on 26 September 2006 at 06:13 PM.]

problem solved.

I checked your blog and copied the re-register command from there and it was successful.

it is slightly different to the above version.

I have isolated the re-register code on it's own line for clarity and removed any unnecessary characters or punctuation marks. I have tested the code and it works on my XP SP2 Pro machine.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. My FAQs.

[This message was edited by Wiz Feinberg on 26 September 2006 at 07:52 PM.]

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. My FAQs.