News

Microsoft Releases Out-of-Cycle Patch for VML Flaw

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

"A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows," reads the Microsoft Security Bulletin posted today about the flaw. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message."

According to Microsoft, today's patch fixes the problem, but the company also offers a number of "workaround" suggestions, including certain IE configurations and adjusting ISA Server to block VMA traffic.

Microsoft recommends that the patch be applied immediately.

Symantec reported earlier this month that the flaw is "zero-day," in that code exploiting the flaw in IE is live and circulating the Web. Details can be found here.

Microsoft credited IIS X-Force, iDEFENSE and Dan Hubbard at the Websense Security Labs for working help in discovering the flaw.

The company normally waits until its regularly scheduled patch release day -- the second Tuesday of every month, aka "Patch Tuesday" -- to release any updates, although exceptions occur when flaws are thought to be particularly dangerous or vulnerable to malicious code.

"While the attacks we saw were very limited, our decision to go out of band on this release was really around the risk in combination with the attacks," the company said of the early release on its Microsoft Security Response Center blog.

For more information on today's update, go here.

About the Author

Becky Nagel is the executive editor of the 1105 Redmond Media Group's Web sites, including Redmondmag.com, RCPmag.com, RedDevNews.com and VisualStudioMagazine.com, among others.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.