IT Management Daily
Storage Daily
Security Daily
 FREE NEWSLETTERS
search
 

follow us on Twitter


internet.commerce
Be a Commerce Partner

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers



Related Articles
Latest IE Zero Day Has XML Designs
Microsoft Plugs 'Critical' Office Security Leak

Security Products
 Retrieve Outlook 2007 Password (Retrieve PST Password)
 VBA Project Password Recovery (VBA Project Password Recovery)
 Password Recovery for Outlook 2010 (Password Recovery for Outlook)
 Refog Mac Keylogger (REFOG)
 Recover Excel VBA Password (Recover Excel VBA Password)
 VIP Anonymity (VIP Defense)
» Enterprise IT Planet » Security » Security News

Microsoft Issues VML Patch for IE

By Pedro Hernandez
September 27, 2006

Email Print Digg This Add to del.icio.us

Microsoft isn't waiting until the next Patch Tuesday to issue a patch for a "critical" flaw affecting Internet Explorer that leaves the browser open to Web-based attacks.

Microsoft Patch
Yesterday, the software giant released an out of cycle patch for a Vector Markup Language (VML) buffer overrun vulnerability (MS06-055) found in Internet Explorer 5 and 6. As a result, Windows XP SP1/XP2, XP x64, and Server 2003 XP1/Itanium/x64 are affected.

VML is an XML-based supplement to the browser's HTML rendering engine that allows it to display vector graphics intended for Web delivery, according to a FAQ issued by the company.

Infection can occur if a user visits sites that hosts the malicious exploit or viewing HTML e-mails that contain the code. If the victim is a user with administrative privileges, an exploit can effectively hand over complete control of the system to a remote attacker.

Unsurprisingly, malware coders were quick to jump on this flaw leading to a dreaded zero-day situation.

Shortly after details about the vulnerability were made public, exploits were detected on porn sites and spam mailings. The danger in the latter scenario is that it is common for users email clients that use IE's rendering engine to keep a preview pane open, increasing the chances of infection once a tainted e-mail lands crosses the inbox.

Before the fix, Microsoft suggested that users turn off JavaScript functionality or set the IE's security level to high. Now the company is urging users to patch their systems as soon as possible.

Scott Deacon, Microsoft Security Response Center program manager, wrote in the group's blog that the company's decision to go with an "out of band release" came down to risk.

With this particular vulnerability, the biggest concern we had was around risk. This one affected many different platforms in many scenarios that are considered by customers to be common usage. While the attacks we saw were very limited, our decision to go out of band on this release was really around the risk in combination with the attacks.

The VML patch is currently circulating via automatic updates and is also available for download. Patch Tuesday comes around next on October 10th.

Email Print Digg This Add to del.icio.us

Security News Archives