Kaseya Community

Resources

Resources
The place to find product documentation, user guides, video demos, and scripts/procedures shared within the community

___

IE Zero-Day Workaround: Unregistering VGX.dll (x86 and x64-compatible)

Microsoft recently updated their advisory to indicate that unregistering VGX.dll will mitigate one of the attack vectors for the IE Zero-Day vulnerability, as detailed here: https://technet.microsoft.com/library/security/2963983#sectionToggle1

With help from folks in the Kaseya Community (reference http://community.kaseya.com/xsp/f/28/p/19889/91710.aspx... thanks, y'all!  [:)]), I put together a working script that unregisters VGX.dll on both 32-bit (x86) and 64-bit (x64) Windows machines.

This procedure also supports re-registering the DLLs once Microsoft comes out with a true "fix" for the underlying issue.  In that sense, it's fully reversible.

Please Note: Unregistering VGX.dll will break VML image rendering in Internet Explorer.  What is VML image rendering?  It’s rarely-used, but it is possible that a customer’s line-of-business application or crucial website might use it.  Wikipedia article: http://en.wikipedia.org/wiki/Vector_Markup_Language

When running this procedure, please remember to fill in the Script Prompts, whether you Run Now:

...or Schedule the procedure (remember to click the Script Prompts tab before hitting Submit):

The only "acceptable" operation values are U for unregister, or R for register.  If no option or an incorrect option is specified, #adminDefaults.adminEMail# (the executing admin's e-mail) will receive an e-mail stating same.

If you'd like to personally verify that the DLL is unregistered (or re-registered as the case may be), I'd recommend the following utility from Nir Sofer: http://www.nirsoft.net/utils/registered_dll_view.html  Check both 32 and 64-bit versions of the DLL using both the 32 and 64-bit versions of the utility when testing on x64 machines.

Disclaimer of Liability: I have done my best to test this script on as many machines as possible; however, you may find instances where this script does not behave as expected.  Use this at your own risk.  Unregistering a DLL, even though Microsoft recommends this as a viable option until a patch is released, may still cause unintended consequences.  Please use your judgement as to whether or not you're willing to take the risk, or would rather wait for the official Microsoft patch to come out.  Again, be aware, this will break VML rendering in Internet Explorer.  Batteries not included.  Dry clean, do not wash.

Comments
  • IE Zero-Day Workaround: Unregistering VGX.dll (x86 and x64-compatible)

    finnaly some good news

    www.foxnews.com/.../microsoft-releases-security-update-for-internet-explorer-including-for-windows

    blogs.technet.com/.../out-of-band-release-to-address-microsoft-security-advisory-2963983.aspx