Microsoft Releases Out-of-Cycle Patch for VML Flaw

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

"A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows," reads the Microsoft Security Bulletin posted today about the flaw. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message."

According to Microsoft, today's patch fixes the problem, but the company also offers a number of "workaround" suggestions, including certain IE configurations and adjusting ISA Server to block VMA traffic.

Microsoft recommends that the patch be applied immediately.

Symantec reported earlier this month that the flaw is "zero-day," in that code exploiting the flaw in IE is live and circulating the Web. Details can be found here.

Microsoft credited IIS X-Force, iDEFENSE and Dan Hubbard at the Websense Security Labs for working help in discovering the flaw.

The company normally waits until its regularly scheduled patch release day -- the second Tuesday of every month, aka "Patch Tuesday" -- to release any updates, although exceptions occur when flaws are thought to be particularly dangerous or vulnerable to malicious code.

"While the attacks we saw were very limited, our decision to go out of band on this release was really around the risk in combination with the attacks," the company said of the early release on its Microsoft Security Response Center blog.

For more information on today's update, go here.

About the Author

Becky Nagel is the vice president of Web & Digital Strategy for 1105's Converge360 Group, where she oversees the front-end Web team and deals with all aspects of digital strategy. She also serves as executive editor of the group's media Web sites, and you'll even find her byline on, the group's newest site for enterprise developers working with AI. She recently gave a talk at a leading technical publishers conference about how changes in Web technology may impact publishers' bottom lines. Follow her on twitter @beckynagel.


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.