Greg Hewgill (ghewgill) wrote,
Greg Hewgill
ghewgill

public service announcement: vml vulnerability

Similar to the WMF vulnerability in Windows exposed earlier this year, there is a new vulnerability in VML files. F-Secure has an article on how to protect your system which involves unregistering the vgx.dll component.

F-Secure states that: "VML is a description format for browsers to draw vector graphics. Not too many websites use this format today - but rather display plain images." While this is true, there is one rather popular application that does in fact use VML: Google Maps (at least, when you're using Internet Explorer).

Google Maps uses VML in Internet Explorer to draw line segments when using the route-finding features. For an example of a map that fails to display lines after unregistering vgx.dll, see my southwest USA travel map from our trip last year. There should be lines on the map tracing the route we drove. It is worth noting that for browsers other than Internet Explorer, Google Maps uses a more intensive server-side solution - it generates a mostly transparent PNG overlay file on the Google Maps servers, and overlays that on top of the map.

Of course Microsoft already has a fix for this, but the patch release is not scheduled until the next Patch Tuesday, 10 October. It will be interesting to see whether we see the rapid rise in exploit code between now and then (like we did for the WMF vulnerability).
Tags: psa
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 4 comments