Microsoft Releases Out-of-Cycle Patch for VML Flaw

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

"A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows," reads the Microsoft Security Bulletin posted today about the flaw. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message."

According to Microsoft, today's patch fixes the problem, but the company also offers a number of "workaround" suggestions, including certain IE configurations and adjusting ISA Server to block VMA traffic.

Microsoft recommends that the patch be applied immediately.

Symantec reported earlier this month that the flaw is "zero-day," in that code exploiting the flaw in IE is live and circulating the Web. Details can be found here.

Microsoft credited IIS X-Force, iDEFENSE and Dan Hubbard at the Websense Security Labs for working help in discovering the flaw.

The company normally waits until its regularly scheduled patch release day -- the second Tuesday of every month, aka "Patch Tuesday" -- to release any updates, although exceptions occur when flaws are thought to be particularly dangerous or vulnerable to malicious code.

"While the attacks we saw were very limited, our decision to go out of band on this release was really around the risk in combination with the attacks," the company said of the early release on its Microsoft Security Response Center blog.

For more information on today's update, go here.

About the Author

Becky Nagel is the vice president of Web & Digital Strategy for 1105's Converge360 Group, where she oversees the front-end Web team and deals with all aspects of digital strategy. She also serves as executive editor of the group's media Web sites, and you'll even find her byline on, the group's newest site for enterprise developers working with AI. She recently gave a talk at a leading technical publishers conference about how changes in Web technology may impact publishers' bottom lines. Follow her on twitter @beckynagel.


  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

  • How To Block Self-Service Purchasing in Microsoft's Power Platform

    Microsoft threw Office 365 admins a bone when it gave them the ability to block users from purchasing Power Platform tools without IT approval. Here's how to prevent total anarchy.

  • Azure DevOps Services Losing Support for Alternate Credentials

    Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

  • Microsoft Endpoint Configuration Manager Update 1910 Released

    Microsoft announced last week that it is starting to deliver Update 1910 for Microsoft Endpoint Configuration Manager users.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.