Date: 2006-09-21 19:40:00
Tags: psa
public service announcement: vml vulnerability
Similar to the WMF vulnerability in Windows exposed earlier this year, there is a new vulnerability in VML files. F-Secure has an article on how to protect your system which involves unregistering the vgx.dll component.

F-Secure states that: "VML is a description format for browsers to draw vector graphics. Not too many websites use this format today - but rather display plain images." While this is true, there is one rather popular application that does in fact use VML: Google Maps (at least, when you're using Internet Explorer).

Google Maps uses VML in Internet Explorer to draw line segments when using the route-finding features. For an example of a map that fails to display lines after unregistering vgx.dll, see my southwest USA travel map from our trip last year. There should be lines on the map tracing the route we drove. It is worth noting that for browsers other than Internet Explorer, Google Maps uses a more intensive server-side solution - it generates a mostly transparent PNG overlay file on the Google Maps servers, and overlays that on top of the map.

Of course Microsoft already has a fix for this, but the patch release is not scheduled until the next Patch Tuesday, 10 October. It will be interesting to see whether we see the rapid rise in exploit code between now and then (like we did for the WMF vulnerability).
MS needs to hire Theo. He might be able to fix a few bugs before they get sick of his attitude and fire him. :)
the vulnerability is in the browsers implementation of the file format, not the format itself.

Same exploit as the "write a bat file, rename it gif, host it and link it" really it appears. just repeated again for yet ANOTHER file format >.<
[info]bovineone : Old file formats
VML never gained wide acceptance, and has mostly been deprecated in favor of SVG. Although Firefox 1.5 now supports SVG natively, even the current release candidates of IE7 still only supports VML and not SVG.

It also seems that although Google Maps could be using SVG on Firefox, they still only use the transparent PNG technique.

Thankfully, in IE7 Microsoft has decided to begin deprecating a number of the older protocols/formats previously supported, such as Gopher, Telnet, Scriptlets, DirectAnimation, XBM, Channels (.CDF files) also known as 'Active Desktop Items', etc. They probably should have considered adding VML to that list also.
[info]netdef : Workarounds
Info and workarounds that I personally tested. Recommended until MS patches the problem in October.
Greg Hewgill <>