OTA Post/Security note

This is an Open Trackbacks Alliance post. Link to this post and track back all weekend long. More below the mishmash (which includes some info anyone who uses Internet Exploder or Outlook MUST read!)


If you’ve not heard of it yet, on Tuesday Microsoft acknowledged a(nother!) serious security flaw in Internet Exploder (and by extension also in the html rendering in Outlook/Outlook Express) that you MUST take seriously.

To deal with this security flaw, you have two paths to take at this time, since Microsoft has NOT issued a patch:

1.) Stop using Microsoft’s internet applications! Stop it! Now! I use Opera for my browser, email and newsfeed client. I don’t really need to use Internet Exploder, unless some jackass website builder requires Active X components to load a site I NEED to use. (And in most cases, I’ll get on the phone to ’em and chew ’em out for it.)

2.) Kludge through the workarounds:

From Microsoft’s Security Advisory 925568, under Workarounds, in addition to UN-registering the vgx.dll (Click Start, click Run, type “regsvr32 -u “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”” (without the quotation marks), and then click OK.):

Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only. Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
1. The changes are applied to the preview pane and to open messages.

2. Pictures become attachments so that they are not lost.

3. Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

OK, don’t say you weren’t warned. For my part, the machines around here are all having the vgx.dll unregistered, and I’ll simply keep on using Opera for all (well, 99.99%) my web browsing, email and RSS feeds.

UPDATE: Released today by ZERT: third party patch for the VML vulnerability from the “Zero Day Emergency Response Team”—NOT a Microsoft patch.

BTW, see the foot of thos post (“read more here” below the Open trackback reminder) for a few personal observations about Microsoft and security holes/vulnerabilities.


This is an Open Trackbacks Alliance post. Link to this post and then track back. If you want to host your own linkfests, check out

Also note the other fine blogs featuring linkfests at Linkfest Haven.

Linkfest Haven

Continue reading “OTA Post/Security note”