TechWeb

Microsoft Posts VML Patch Two Weeks Early

Sep 26, 2006 (01:09 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=193005866


Microsoft on Tuesday broke with its regular security update schedule for only the second time this year to issue a patch for a critical Internet Explorer vulnerability that's been exploited for more than a week.

MS06-055 provides a fix for the flaw in IE 5.01 and IE 6.0, Microsoft said in the accompany bulletin, and should be applied immediately. The Redmond, Wash. developer pegged the bug as "Critical," its most dire warning, for editions of IE running on Windows 2000, Windows XP, and Windows Server 2003 machines. Windows Server 2003 SP1 is at slightly less risk.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," the bulletin read. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The vulnerability exists in IE's rendering of Vector Markup Language (VML) code, an extension of XML that defines Web images in vector graphics format. First reported last Tuesday by Sunbelt Software, the vulnerability was quickly leveraged by attackers to plant large quantities of adware, spyware, and other malware on attacked PCs. Within days, a working exploit had been added to WebAttacker, a Russian-created "kit" sold to hackers.

Although Microsoft indicated last week that it might issue a patch before Oct. 10, it gave no warning Tuesday that it would release a fix. MS06-055 is only the second 2006 update to debut outside the normal second-Tuesday-of-the-month schedule; the first was a fix issued Jan. 5 to quash a widely-exploited bug in the Windows Metafile image format.

One possible fly in the update ointment: Microsoft warned users that users who had earlier applied a Microsoft-sanctioned workaround -- one of the few sanctioned defensive measures available while the company worked on a fix -- might not be able to install the Tuesday patch.

"If the workaround 'Modify the Access Control List on Vgx.dll to be more restrictive' has been applied, the security updates provided with this security bulletin may not install correctly," Microsoft said. It told users they should first reverse the workaround by re-registering the Vgx.dll.

In a side note on its blog, the Microsoft Security Response Team also said that the MS06-049 update originally issued Aug. 8 would be re-released Tuesday.