VML is used to generate graphics using an XML format.
Microsoft says they'll release a patch for this on October 10th. However, there are already known exploits for this. One of the suggested workarounds is to unregister vgx.dll on each machine until then.
But luckily we have CSA, and can do the following:
- Create a new File Access Control rule (I call it Possible VML Exploitation)
- Take the following action: Deny (or Monitor, if you just want to watch for it)
- when Applications in any of the following selected classes: Email applications, Instant Messenger applications, MS Office applications, Multimedia applications, Web browser applications
- But not in any of the to following selected classes: <none>
- Atempt the following: Read
- On any of these files: @program_files\**\VGX\vgx.dll
I'm testing this out now. If anyone else has a better rule to accomplish the same thing, please let me know.
I tested this new rule, and it works. Google Maps uses VML to generate its maps, which is what I used for the test. I was afraid that IE might load the dll before it was used, but this shows it tries to use it in realtime and shouldn't affect normal browser functionality.
Another way of doing this is to enable the Specific SystemAPI rule that protects against Buffer Overflow (VML exploit and almost all others use this). This way your rule is dynamic and will prevent you against future exploits.E.g. Non-VML exploits which don't use the vgx.dll file.
The following System API rule works
1. Create a SystemAPI rule with the following box checked
"Access system functions from code executing in data or stack space"
However you have to be careful as this can deny legitimate applications also. For this testing you can only include "iexplore.exe" and that should work.
Later-on you can fine-tune this rule to exclude any legitimate applications.
Can you tell me specifically what Cisco considers to be the "default policies" for CSA? Does this refer to the "Operating Systems - Base Permissions - Windows" policy (containing the Required System Module and the System Bootstrap Permissions Module) that is in the auto-enrollment group for Windows XP hosts?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :