Microsoft releases out-of-cycle patch for VML flaw

Jaikumar Vijayan   Today’s Top Stories   or  Other Spam, Malware and Vulnerabilities Stories  

The Secure Web Gateway. Mission Critical For Business Client Security Podcast Google Search Appliance - New Features Malicious Software Defense: Have we moved beyond the need for anti-virus and spyware protection software? Understanding PCI DSS Compliance State of Internet Security Series: Protecting the Perimeter Computerworld Technology Briefing: Intelligent Users Use Business Intelligence Virtual Reality SaaS Solutions for Remote Systems Management Sign up to receive Spam, Malware and Vulnerabilities Resource Alerts

September 26, 2006 (Computerworld) -- Microsoft Corp. today issued an out-of-cycle patch to address the Vector Markup Language (VML) vulnerability in its Internet Explorer Web browser.

The company had earlier said it would release a patch only as part of its monthly security updates for October. Those are not due out until Oct. 10.

A brief note posted on the Microsoft Security Response Center blog noted that the patch is already available through Windows Update, Microsoft Update and Autoupdate.

"We're in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST and MBSA 2.0 to the Microsoft download center and normal locations, and those should be up shortly," the blog noted.

Companies that have already disabled the VML function as a mitigation measure will first need to reverse that work-around before applying the patch, according to Microsoft's bulletin.

Hackers had been exploiting the flaw, which also affects some versions of Outlook, for more than a week, and in recent days, malicious activity had been on the upswing (see "VML threat remains, security firms warn").

The out-of-cycle release is unusual, but not unprecedented. Microsoft generally issues its security updates on the second Tuesday of every month, giving systems administrators a predictable way to set aside time to test the new software. Occasionally, the company will release patches ahead of time if a flaw is being widely exploited by attackers.

In January, the software maker patched a critical flaw in the Microsoft Windows Metafile (WMF) image-rendering engine after it became a widespread problem.

Microsoft's decision seems to be a response to growing public concerns about the potential threats posed by the unpatched vulnerability, said Johannes Ullrich, chief technology officer at the Bethesda, Md.-based SANS Internet Storm Center.

"As with WMF, this was becoming a big public relations problem for Microsoft. A lot of people were questioning why the company was waiting so long to issue a fix for it," Ullrich said.

With attack code that works on the latest version of Windows XP now publicly available, the VML bug is shaping up as a very serious concern for administrators, said Ken Dunham, the director of VeriSign Inc.'s iDefense Rapid Response Team. VML attacks have now "dwarfed the WMF activity in the same period of time compared to last year," he said.

By today, more than 3,000 Web sites were already infecting users with malware that exploited the VML bug, according to Dunham. One week into the WMF outbreak last January, iDefense saw about 600 sites exploiting the problem.

Security experts also warned that there are many variants of the VML malware, some of which may be missed by security software. Researchers at iDefense are now looking at a dozen possible variations of the VML exploit code and have confirmed the existence of seven, Dunham said. "With WMF, there wasn't nearly as much modification. We see a lot of different permutations and obfuscation techniques being utilize with VML attacks."

Continued...
1 | 2 | NEXT  

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"This pilot fish writes a program to check activity on a particular server, then starts it up and leaves it..." Read more... "A South Korean woman barred from entering Japan fooled the biometric fingerprint scanner by putting "special" tape over her fingers...." Read more... Read more Security posts or See all Blogs

Microsoft bangs 'Apple tax' drum once again Digital TV converter program out of money Microsoft touts Mac-Windows collaboration at Macworld More top stories...

Review: 3 videoconferencing services pick up where your travel budget leaves off Hackers hijack Obama's, Britney's Twitter accounts Comcast confirms new network management practices

The 9 hottest skills for '09 The downturn has softened the IT talent market but done little to weaken demand for SAP, .Net and other technical skills. Fast fixes for common PC problems Every computer user hits a speed bump now and then. Here are some speedy, simple solutions to hardware, software, network, Internet and mobile-device crises. Apple's 5 biggest moments in 2008 From the iPhone 3G to 'unibody' MacBooks, 2008 was a standout year for Apple. Hands-on Linux: New distro versions push the envelope We've got reviews and videos of the new Ubuntu 8.10, Fedora 10 and openSUSE 11.1. Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system More Continuing Coverage Windows 7 Voting Technology Google's Chrome browser Economy in turmoil: Latest news and tips iPhone 3G Bill Gates moves on Windows Vista A to Z Mac A to Z 2008 Salary Survey Find wage data for 50 IT job titles. More Special Reports 2009 Premier 100 IT Leaders 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top 12 Green-IT Users The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones Business Continuity Zone The File Data Management Zone Security Management Zone The SAS Zone Business Intelligence and Analytics Zone The Enterprise Search Zone Software as a Service Zone The Security Zone See your link here

The Secure Web Gateway. Mission Critical For Business The Secure Web Gateway. Mission Critical For Business View this on demand webcast, compliments of Ironport, now! Go to the webcast  Managing Mobile Data with Endpoint Security for Laptops Download this white paper now, compliments of Computerworld and Absolute Software. (Source: Absolute Software) A NetworkWorld survey of IT professionals found that only 1 in 100 employees consistently follow data security policy. This paper outlines endpoint security for laptops that restricts data access beyond encryption to safeguard against insider threats and user error.Read this whitepaper to learn lessons from recent data breaches, limitations of traditional data security, and how to remotely wipe out data and monitor computers that go off the network. Download this executive briefing  Creating a green data center to help reduce energy costs and gain a competitive advantage Download this new white paper today! (Source: VMware) With today's rapid IT growth, companies are looking to consolidate datacenter operations to achieve space and cost savings. And as energy costs continue to rise, datacenter efficiency becomes even more important. This IBM report details how companies are reducing energy usage and costs to gain a completive advantage. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. NetApp and VMware Virtual Infrastructure 3 Storage Best Practices Go Green with IBM System x Servers and Intel Xeon Processors Creating a green data center to help reduce energy costs and gain a competitive advantage View more whitepapers

• Microsoft bangs 'Apple tax' drum once again
• Review: 3 videoconferencing services pick up where your travel budget leaves off
• Digital TV converter program out of money
• More top stories