it's worth noting that if you do plan to deploy this in your environment, on 64-bit machines, you need to make sure to unregister both the 32-bit and 64-bit copies of the DLL:
https://technet.microsoft.com/en-us/library/security/2963983.aspx If you are doing such a deployment to 64-bit hosts using ConfigMgr 2007, you need to ensure you have a separate version of the program which calls the Sysnative version of regsvr32.exe to ensure that your DLLs unregistrations don't get caught up by the SYSWOW64 file system redirector (as the CCM 2007 agent is a 32-bit app). On Tue, Apr 29, 2014 at 3:55 PM, Niall Brady <[email protected]> wrote: > the command Symantec provides will pause a task sequence as it's not > silent, (pop's up a window saying successful and waiting for you to click > ok) > > use > > cmd.exe /c %SystemRoot%\System32\regsvr32.exe /u /s > "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" > > instead, (/s for silent) > > > On Tue, Apr 29, 2014 at 5:06 AM, Mike Dougherty <[email protected]> wrote: > >> I've been doing some digging on this/these things this evening... >> >> It seems like there are two closely related exploit-able things floating >> around that have surfaced in the last 24-36 hours: >> >> CVE-2014-0515 >> CVE-2014-1776 >> >> (I assume I'm interpreting this correctly...) >> >> One of them (CVE-2014-0515) is a Flash exploit that could potentially >> target any Windows based browser, including Internet Explorer. Microsoft >> has released a security bulletin, etc. about this one because on Win8+ >> (with IE10 or above), Microsoft is "handling" Flash patching/updates. >> >> Adobe has released a seperate 0-day update/release for this as well: >> http://helpx.adobe.com/security/products/flash-player/apsb14-13.html >> >> >> >> However.... The second one (CVE-2014-1776) is an exploit specific to >> Internet Explorer (which currently leverages a vulnerable Flash to >> introduce the exploit on remote systems). >> >> This where things get clear as mud for me: >> >> >> http://blogs.technet.com/b/srd/archive/2014/04/26/more-details-about-security-advisory-2963983-ie-0day.aspx >> >> "while the vulnerability affects Internet Explorer, the exploit relies >> deeply on two other components to successfully trigger code execution and >> in particular it requires presence VML and Flash components." >> >> The aforementioned SRD post mentioned that disabling/unregistering the >> DLLs for VML, changing Active X/Scripting or IE Security Zones, or >> deploying a recent version of EMET can mitigate the issue. >> Symantec goes as far as providing the command to unregister the VML DLL: >> http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild >> >> >> Does deploying the new version of Flash (from CVE-2014-0515) correct both >> issues? No one is really saying one way or the other at this point. >> My guess overall is "no" since exploit #2 could potentially eventually be >> reached via other non-Flash vectors. >> >> However, Fireeye's blog post ( >> http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html) >> says that disabling Flash will prevent the exploit. >> That blog post pre-dates the newest Flash release, so ... >> >> >> >> Thus far, my environment is deploying the newest Flash immediately and >> keeping our fingers crossed, hoping that this solution is sufficient in the >> meantime. >> >> >> >> On Mon, Apr 28, 2014 at 1:00 PM, Brian Mason <[email protected]> wrote: >> >>> I see CM synced and pulled 2961887 today, but it's only for Win8/8.1 >>> and Server12/12R2. >>> >>> >>> >>> This link mentions the patches: >>> https://technet.microsoft.com/library/security/2755801 >>> >>> >>> >>> - On April 28, 2014, Microsoft released an update (2961887) for >>> Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, >>> and >>> for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and >>> Windows RT 8.1. The update addresses the vulnerabilities described in >>> Adobe >>> Security bulletin >>> APSB14-13<http://helpx.adobe.com/security/products/flash-player/apsb14-13.html>. >>> For more information about this update, including download links, see >>> Microsoft >>> Knowledge Base Article 2961887<https://support.microsoft.com/kb/2961887> >>> . >>> >>> *Note *Updates for Windows RT and Windows RT 8.1 are available via Windows >>> Update <http://go.microsoft.com/fwlink/?LinkId=21130>. >>> >>> >>> >>> >>> >>> This link must still be written as it's coming up empty for me: >>> https://support.microsoft.com/kb/2961887 >>> >>> >>> Doesn't look like this is 0-day patch everyone has been waiting for. >>> >>> >>> >>> _________________ >>> >>> Brian Mason >>> >>> MCTS, MS MVP ECM >>> >>> http://www.mnscug.org/ >>> >>> >>> >>> >> >> > >
