Using RES Workspace Manager to Mitigate IE Zero-day (2963983)

Update: Microsoft releases an out-of-band patch for the exploit, including an update for Windows XP.

 

On April 26th, Fireeye announced a zero-day exploit of Internet Explorer in the wild. IE 6 – 11 are vulnerable.  I’m going to show you how to create an execute command at logon action to unregister VGX.dll with RES Workspace Manager 2014 to force the DLLs to unregister when a user logs on to a RES-managed computer.

For many companies, XP is still around without support, meaning this vulnerability will never be patched.  Completely avoiding IE altogether just isn’t an option for many businesses.  If IE must be used, it is in everyone’s best interest to implement one of the workarounds detailed by Microsoft:  only one of which should be entertained if you are looking for a quick workaround.

  • Unregister VGX.DLL – This dll is responsible for rendering VML which has been deprecated since IE9

According to this Cisco Systems post, this DLL has been used in several zero-day exploits over the last 8 years, and I agree with the author:

…maybe the best mitigation technique is to follow Microsoft’s advice and to unregister the dll for good. Three major vulnerabilities affecting this library have been discovered in the last 14 months, how many more have yet to be found or used?

We have implemented the unregister VGX.DLL workaround using RES Workspace Manager on client systems.  The reasons for doing it with RES is:

  • It’s really easy
  • With our non-persistent VDI computers, this script will have to be run over and over again until the base image is either updated to include the unregistered DLLs, or until the image is patched with the eventual MS hotfix.
  • It’s really easy

There are numerous ways to deploy the DLL unregister commands, so I’m going to demonstrate how to force the DLLs to unregister every time someone logs on to a RES-managed computer

For 32-bit computers, run:

"%SystemRoot%\System32\regsvr32.exe" /u /s "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

For 64-bit computers, run:

"%SystemRoot%\System32\regsvr32.exe" /u /s "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
"%SystemRoot%\System32\regsvr32.exe" /u /s "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

I will add all 3 commands to the script so I can apply it to all systems.  The “/S” switch will hide any prompts from the user, including failures, so be sure to test!!!

Overview of the process:

  1. Enable Execute Command feature
  2. Create new At Logon action, Execute Command type:
  3. Insert Script Reference and check “Run using Dynamic Privileges”
  4. Add commands, add filters for Access/Workspace control as desired

Enable Execute Command feature

In RES Workspace Manager, to use a logon command, you must enable “Execute Command” feature. In Workspace Manager console, go to the “Composition” module, “Actions by Type”, then enable “Execute Command” globally (or add a Workspace Container exception) if it’s not enabled already:

Enable the "Execute Command" feature

Now, create the “Execute Command” script to run “At Logon”

Now, create a new “At Logon” action to run the commands, using elevated rights for non-admins.

Under “Actions By Event” –> “At Logon”, click “New” on the menu bar or right-click in the “Actions” pane (on the right), when prompted, choose “Execute Command”

Use these properties:

Insert script reference and enable script elevated permissions

Verify that you have checked:

  • “Run using Dynamic Privileges”
  • Command line should simply be %script% – This tells the composer to use the commands in the “Script” tab of the action, which is where we will paste our regsvr32 commands (for both 32- and 64-bit computers):
"%SystemRoot%\System32\regsvr32.exe" /u /s "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
 "%SystemRoot%\System32\regsvr32.exe" /u /s "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
 "%SystemRoot%\System32\regsvr32.exe" /u /s "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

VGX_Execute-Command_Script

Note:  These commands will run silently and hidden, so be sure you test and verify everything works before you assume that it’s working; you won’t get any error messages if something doesn’t work properly.

 

Add any Access/Workspace Controls you need and hit “OK”.  Once agents update, the next logon, the commands will unregister the VGX.DLL files and you can continue using IE from any of the RES-managed computers.

How to verify the DLL was unregistered on a computer:

Registered CLSIDs are registered under the following keys:

  • 32-bit: HKEY_CLASSES_ROOT\CLSID key
  • 64-bit: HKEY_CLASSES_ROOT\Wow6432Node\CLSID

…and the CLSID of VGX.DLL is {10072CEC-8CC1-11D1-986E-00A0C955B42E}

When the REGSVR32 commands are run successfully, the CLSID registry entries (and a few others) will be deleted:

REG_Monitry_VGX-DLL_Unregister

You can verify by running the following commands:

reg query HKCR\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}
reg query HKCR\Wow6432Node\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}

Verify VGX.dll is unregistered

Here’s a link to the building block…just make sure to enable the “Execute Command” feature first!

execute_command_unregister_VGX-dll.xml (TXT)

 

References:

 

Leave a Reply

Your email address will not be published. Required fields are marked *