|
Microsoft Issues Out-of-Cycle Patch for VML Flaw
Published: September 27, 2006
by Alex Woodie
Microsoft yesterday issued an updated security patch for the critical Vector Markup Language (VML) flaw in Internet Explorer. The action marked an unexpected shift for Microsoft, which had indicated previously it was going to wait until its regularly scheduled Patch Tuesday event on October 10 to issue the patch. However, the recent rise in infected Web sites, coupled with the delivery of a third-party fix, apparently hastened Microsoft's decision.
The new patch was issued yesterday afternoon as part of Microsoft Security Bulletin MS06-055. Microsoft says all users of Windows XP and Windows Server 2003 operating systems should apply the patch immediately. Windows 2000 users will soon have a re-released VML patch, MS06-49, to apply, according to the Microsoft Security Response Center Blog! Users who had disabled the VML function in Windows to protect themselves against VML attacks will need to re-enable VML before applying the patch, according to Microsoft.
VML is a dialect of XML that is used by Internet Explorer and Microsoft Outlook to display high-end vector graphics. A buffer overflow vulnerability in Windows VML rendering engine, described as CVE-2006-4868 by the Common Vulnerabilities and Exposures organization, could enable an attacker to run arbitrary code on a computer if a user visits a malformed Web page or views a malformed e-mail.
The first reports of VML attacks came in about a week ago. Since then, exploit code has been posted to the Internet, enabling any neer'do'well to craft his own variant of the VML attack to spread a smorgasbord of viruses, spyware, keyloggers, and other malware.
The security risk posed by the VML flaw has risen in recent days, according to the folks at the SANS Internet Storm Center. "The risk of getting hit is increasing significantly," the organization said on Monday. "This exploit is one that's going to stay with us, so you do need protection."
By some accounts, more than 3,000 Web sites have been infected with VML attack code, including more than 500 domains at a single host. Spam messages have started to appear on the Internet that lead unsuspecting readers to malicious Web sites. One Florida hosting company was reportedly hacked over a month ago via an unrelated vulnerability, but instead of taking advantage of the situation, the hackers waited for an easy-to-exploit flaw, and were rewarded with VML.
Just the same, Microsoft poured cold water on the situation. "Attacks remain limited," Microsoft security researcher Scott Deacon said on the security blog last Friday. "There's been some confusion about that, that somehow attacks are dramatic and widespread. We're just not seeing that from our data." Just the same, Microsoft continued to develop and test the VML patch. "Right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release" out-of-cycle, he says.
It appears that Microsoft's hand was forced when a group of security researchers issued a third-party patch to fix the VML flaw. The group, which call themselves the Zeroday Emergency Response Team (ZERT), reverse-engineered exploit code and came up with their own patch, which was posted on the Internet Friday. Four days later--yesterday--Microsoft released its patch.
The whole episode is reminiscent of last winter's Windows Metafile Flaw (WMF). In that episode, attackers posted attack code in late December that exploited the newly discovered WMF flaw, and soon attacks were escalating across the Internet. With weeks to go before its regularly scheduled patch release, Microsoft asked its customers to sit tight while it finished testing its WMF patch.
However, the SANS Internet Storm Center nudged Microsoft into releasing its patch early when it took the unusual step of endorsing a third-party patch developed by Ilfak Guilfanov, a Russian programmer living in Europe. After that, Microsoft decided to issue the WMF patch out-of-cycle, an occurrence that hadn't been repeated until this week.
RELATED STORIES
Zero-Day Word Exploit Not Addressed in "Patch Tuesday Lite"
Microsoft Patches WMF Flaw Early, Issues Two Additional Patches
|
