Microsoft Releases Out-of-Cycle Patch for VML Flaw

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

"A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows," reads the Microsoft Security Bulletin posted today about the flaw. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message."

According to Microsoft, today's patch fixes the problem, but the company also offers a number of "workaround" suggestions, including certain IE configurations and adjusting ISA Server to block VMA traffic.

Microsoft recommends that the patch be applied immediately.

Symantec reported earlier this month that the flaw is "zero-day," in that code exploiting the flaw in IE is live and circulating the Web. Details can be found here.

Microsoft credited IIS X-Force, iDEFENSE and Dan Hubbard at the Websense Security Labs for working help in discovering the flaw.

The company normally waits until its regularly scheduled patch release day -- the second Tuesday of every month, aka "Patch Tuesday" -- to release any updates, although exceptions occur when flaws are thought to be particularly dangerous or vulnerable to malicious code.

"While the attacks we saw were very limited, our decision to go out of band on this release was really around the risk in combination with the attacks," the company said of the early release on its Microsoft Security Response Center blog.

For more information on today's update, go here.

About the Author

Becky Nagel is the vice president of Web & Digital Strategy for 1105's Converge360 Group, where she oversees the front-end Web team and deals with all aspects of digital strategy. She also serves as executive editor of the group's media Web sites, and you'll even find her byline on, the group's newest site for enterprise developers working with AI. She recently gave a talk at a leading technical publishers conference about how changes in Web technology may impact publishers' bottom lines. Follow her on twitter @beckynagel.


  • How To Create a Windows Deployment Image, Part 1

    While there are various methods for creating custom Windows deployment images, the process has a reputation for being tedious and convoluted.

  • Azure Cost Management Now Commercially Available for Some Tenancies

    Microsoft on Monday announced that its Azure Cost Management feature had reached the "general availability" release stage for both Azure "pay-as-you-go" customers and Azure Government tenancies.

  • Microsoft Bringing Files Restore Capability to SharePoint Online and Teams

    Microsoft on Monday announced that it's delivering its Files Restore feature for SharePoint Online and Microsoft Teams to Office 365 tenancies as early as this month.

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.