VML Vulnerability

A new vulnerability in IE's VML engine has been reported. While VML is rarely used, this vulnerability is critical because:

  1. any website can exploit the hole by embedding VML inside HTML.
  2. any email sender can send HTML email with hostile VML

This one is serious enough for me to take action without waiting for a patch from Microsoft and I suggest you do the same by choosing one of the workarounds listed here.

Since none of my tools rely on VML (AFLAX does but I am not using AFLAX yet), I chose to disable VML by unregistering VGX.dll with following command:

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

<

p dir=”ltr”>To restore VML later, use the same command without -u.

Advertisements