Turn Off Your Preview Pane in Outlook (Express)!

Wiz Feinberg · From: Mid-Michigan, USA

Updated to fix bad path to vgx.dll

This warning is in response to the sudden rise in VML vulnerability exploits that are emerging since the vulnerablity was publically announced last week. If you use Microsoft Outlook or Outlook Express as your email client, turn off the preview pane!

Here is why.

The VML exploit is growing quickly and a mass email attack could be just days away, warn security experts who are tracking the problem.

The exploit was first discovered early this week by Sunbelt Software. The exploit is a buffer overflow in the Vector Markup Language (VML) library that allows for remote code execution.

However, the real danger is that it could infect a computer without the user doing anything. All you had to do was have the preview pane turned on in Microsoft Outlook and that would be enough to launch the exploit. The preview pane would render the script in an email, and a script could be written to cause the buffer overflow.

Security experts all agree that they are seeing a rapid rise in the number of emails that attempt to exploit the VML vulnerability, with the goal of enlisting the infected computers into their Zombie Computer armies, where they act as spam relays. It is now estimated that as much as 80% of the spam being sent out these days is sent by compromised Zombie computers.

In addition to turning off the Preview Pane, in Outlook (Express) you should set the security option in the Security tab to run Outlook Express in the Restricted Sites Zone, and configure it to read email as plain text, instead of HTML.

More:

A Microsoft (Quote, Chart) spokesperson said the company has not changed its plans to issue a patch on October 10, the date of its monthly patch. iDefense is encouraging people to take a number of steps in advance of the patch.

This includes disabling JavaScript, since some attacks utilize JavaScript to launch the attack, using a non-IE browser, disabling the preview pain in Outlook, and most importantly, disabling the VML DLL in the computer.

This is done by running the following command from the Windows command line: regsvr32 -u "%ProgramFiles%Common Files\Microsoft Shared\VGXvgx.dll". Do that, and the library cannot be called by any exploit.

More to come as I discover useful information about this dangerous vulnerability.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

[This message was edited by Wiz Feinberg on 23 September 2006 to fix the bad path to the vgx.dll file.]

[This message was edited by Wiz Feinberg on 23 September 2006 at 11:37 AM.]

Dave Potter · From: Texas

Wonder if the vulnerability would also apply to Thunderbird.

Wiz Feinberg · From: Mid-Michigan, USA

Thunderbird uses the Mozilla rendering engine to display html content, not the IE engine. However, you are still at some risk as long as Internet Explorer is installed on your computer. I would recommend unregistering vgx.dll as a safety precaution until an offical patch is released. See the last couple of posts in my thread about the VML vulnerability.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

Al Marcus · From: Cedar Springs,MI USA (deceased)

"command line: regsvr32 -u "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll". Do that, and the library cannot be called by any exploit."

Wiz -What is a prevue Pane that i am supposed to turn off.? Where do I get the "command line" to type in what you wrote above?

I appreicate what you are advising, but we are not all computer experts like you, so don't understand some of the Jargon...al

------------------
My Website..... www.cmedic.net/~almarcus/

Wiz Feinberg · From: Mid-Michigan, USA

quote:
"command line: regsvr32 -u "%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll". Do that, and the library cannot be called by any exploit."

Wiz -What is a prevue Pane that i am supposed to turn off.? Where do I get the "command line" to type in what you wrote above?

Al;
I apologize for using geek talk.

First of all, I had to correct the path to unregister that dll file. I copied it from another source and it was missing two required backslashes in the path. Here is the correct path: regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

The place where you use this command is called the RUN input box. To get there click on your Start Button, then look to the lower right side, find Run and click on it. A small box will open with an input field where you can type or paste in commands, such as the one above. Copy and paste the new command (with correct path) and click on OK. If you typed or pasted it correctly the Run box will be replaced with a message box titled 'RegSvr32', telling you that the unregistering succeeded. Click OK to dismiss that notice.

The Preview Pane is found in Outlook and Outlook Express email clients (programs), as a View Option. In Outlook Express, open the program, click on View, then on Layout, then uncheck the option "Show Preview Pane." Click OK and the Preview Pane will disappear from your Inbox and other folders, in Outlook Express.

To switch to reading email as plain text, with Outlook Express open go to the menu item "Tools" > "Options" > "Read," and place a check mark in the option "Read all messages in plain text."

I hope this clears up my geek talk and helps you to protect your 'puter.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

[This message was edited by Wiz Feinberg on 23 September 2006 at 11:35 AM.]

Al Marcus · From: Cedar Springs,MI USA (deceased)

Hi Wiz-That I can understand. Now you are talking to us computer novices. I appreciat it and will do as you suggest.

One question. I know how to clik on the copy button to copy, but where do I clik "Paste". In other words where do I put it after I copied it. sorry for bothring you so much. You have helped me many times before. Thanks...al

------------------
My Website..... www.cmedic.net/~almarcus/

Al Marcus · From: Cedar Springs,MI USA (deceased)

Wiz-I dragged and dropped the Url that you have highlighted and got message "couldn't find it.". I checked and it is exactly in there as printed...??al

------------------
My Website..... www.cmedic.net/~almarcus/

Wiz Feinberg · From: Mid-Michigan, USA

Al;
With your left mouse button pressed start at the beginning of the left side of the command-line and drag it to the right, to the end of the commandline, to highlight it, then let go of the left mouse button. With the command-line highlighted right-click on it, and from the menu that flies out ("flyout menu") select "Copy" (with the left mouse button).

Here again is the commandline to highlight and copy:
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

When you copy text in Windows it is placed into a virtual holding cell known as the Clipboard, from which it can then be copied again to be "pasted" into another document or input field. Only one command can be stored in the Clipboard at a time.

You want to paste the copied command-line into the Run input field, so open the Run box, right-click inside the input field, and from the flyout options choose "Paste" (with the left mouse button). The command-line should appear in the input field. Click on OK to process the command.

Let me know if this works for you, or if you need further clarification about copying and pasting.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

[This message was edited by Wiz Feinberg on 23 September 2006 at 12:49 PM.]

Wiz Feinberg · From: Mid-Michigan, USA

Al Marcus's questions about copying and pasting have inspired me to write a new web page all about that topic. You can find my copying and pasting explanation here. It is a sub-section of my FAQs page. Let me know the details in it are concise and helpful. Copying and Pasting is one of the operations used when reporting spam and scam emails to SpamCop.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

Al Marcus · From: Cedar Springs,MI USA (deceased)

Wiz-Me again. I dragged that down to the run space and it seemed to work.

Now a new problem...Last night when I closed down, it said updating , "dont shut down your computer". I have had that before and didnt trust it so hit the off button and it STILL wouldn't shut down, so I let it go until it shut down automatically . Now this morning my EMAIL Icon was changed and a screen showed up to fill out for Microsoft Office(which they have with the computer for a 60 day trial) and ask me for the Product Key. I don't have it as no CD it came with the computer. Now I cant access the Email.
Should I use the "add remove program" to uninstall the office program , it has a lot of MEGs in there. ? I dont want it and wont use it.
I mainly use my computer for Email , Web Access,and playing music...Help again and there is more but enough for now...al

------------------
My Website..... www.cmedic.net/~almarcus/

Wiz Feinberg · From: Mid-Michigan, USA

erik · Posted 24 Sep 2006 8:46 am

I don't even load an email client. I use web mail exclusively.

------------------
-johnson

Al Marcus · From: Cedar Springs,MI USA (deceased)

Hi Wiz-I fixed the Email by sending outlook from th program menue to the desktop to clik on and put the MS offic shortcut in the trash. This way I didn't have to remove Office.

Can I remove it without it affecting any other programs? I hear where this can happen, at least MS tells me.

Lots of times I want to REMOVE a program and it tells me drastic things will happen to other programs, what sneaky software companies these guys are.!

It sure is good that we have this Forum and help on computer stuff. What would we do without it. Thanks to b0b and Wiz. eh?..al

------------------
My Website..... www.cmedic.net/~almarcus/

[This message was edited by Al Marcus on 24 September 2006 at 09:22 PM.]

Wiz Feinberg · From: Mid-Michigan, USA

Al;
As a matter of fact you do gain some protection from leaving certain components of MS Office installed, even if you never use them. The main one I can think of is the patched Gdiplus.dll, which originally contained a vulnerability that was exploited by malformed WMF images on hostile websites, or IMs, or in hostile banners. In order to protect yourself you would need to have an MS Office product installed and detected by the MS Office Update website or MUS. Computers without MS Office programs would have to manually have the patch located and downloaded/installed.

I'm glad you were able to regain access to Outlook Express.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices

J W Alexander · From: Reynoldsburg, Ohio, USA

Hey Wiz I did this as you suggested but now I cannot receive an email with photos in the .jpg format. I get a banner saying "OE deleted these........" Is this a coincidence or have I done something unknowingly?

Any help with restoring my photo receipt ability would be greatly appreciated!

Thanks!

Wiz Feinberg · From: Mid-Michigan, USA

J.W.
Your Outlook Express security has been reset to the default paranoid level, which blocks downloading of attachments. Go to Tools > Options > Security - and UNcheck "Do not allow attachments to be saved or opened that could potentially be a virus." Also, be sure that the security zone radio selection is set to the "Restricted Sites Zone." Click APPLY, then OK to close the options.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. My FAQs.

Forum Index > Computers		Next oldest topic :: Next newest topic

All times are GMT - 8 Hours	Jump to: