Saturday, September 30, 2006

Non-Microsoft Patch for Unsupported MS Systems Against VML Exploit

As this blog post was possible because of information from Freedomlist, it is only appropriate that the image used to accompany it also be from Freedomlist. The original image is worth checking out. See long-time Freedomlist member Curious John's original image of his favorite wild persimmon tree .


Ordinarilly, I do not recommend using a patch for a Microsoft Operating System that was not created and tested by Microsoft. The reason is that Microsoft has tremendous resources at hand for testing in countless environments that others do not have available. Even then, there is no way possible for Microsoft to test every possible configuration or software interaction. However, in this instance, I decided it is a good idea to at least let readers know of the availability of this particular unofficial patch.

As background, o
n October 10, Microsoft released Security Bulletin MS06-055 as a critical update. The purpose of the update was to fix a security issue identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. The problem is that there are still a fairly large number of Windows operating systems in use that have reached the end of "Life Cycle" where Microsoft will provide updates. (The information for all Microsoft software, games, tools, hardware is available in Product Life Cycle, which Microsoft reviews and updates regularly.)

ZERT (Zeroday Emergency Response Team) created a patch for Windows 9X, ME, 2000 (to SP3) and XP systems that have not updated to SP1, 1a or SP2 for the VML exploit.
Hat Tip to "Lost" at Freedomlist for the link to c|net News in "Security pros patch older Windows versions", By Joris Evers which reports:
"The vulnerability, first reported last week, lies in a Windows component called "vgx.dll." This component supports Vector Markup Language (VML) graphics in the operating system. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable PC when the user clicks on a malicious link on a Web site or an e-mail message."
Of course the standard warnings of keeping antivirus software updated and and using caution when browsing the Internet applies, as does not clicking on a link in an e-mail from an untrusted source. If you still do not feel your computer is secure, check to see if the version of your operating system has been tested, see ZERT's Libraries Tested.

Here are the instructions for those downloading the file for the older computers, by Plodr:
  1. Grab the download from here:
  2. Unzip it and you'll get a ZPatch folder. Make sure you close IE and OE before you try to apply the patch.
  3. Click on the ZVGPatcher.exe which brings up a window
  4. Click on patch and close the window
  5. Open IE and go to

As Plodr also noted:

"If IE crashes, then you are not patched. Believe me I've had my share of crashes in the last several days until I got both 98SEs and ME patched. "

Thank you Curious John, Lost and Plodr!

No comments: