Microsoft patches IE flaw early |
 |
By Dennis Fisher, Executive Editor, and Bill Brenner, Senior News Writer
26 Sep 2006 | SearchSecurity.com |
|
|
Microsoft went outside its normal patch cycle Tuesday to fix an Internet Explorer (IE) flaw attackers have targeted with growing frequency in recent days.
The software giant released a patch addressing the Vector Markup Language (VML) flaw, which digital miscreants have targeted via malicious Web sites, including several pornographic sites based in Russia. The attacks prompted several security organizations, including the Bethesda, Md.-based SANS Internet Storm Center (ISC), to raise their alert status late last week.
"Microsoft originally planned to release the update on Tuesday, Oct. 10, 2006 as part of its regular monthly release of security bulletins," a Microsoft spokesman said via email. "However, Microsoft is aware of the existence of a public attack utilizing the vulnerability. Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers."
Details of the flaw and patching instructions are outlined in MS06-055.
The patch is a rare early release from Microsoft, which normally saves all security updates for the second Tuesday of each month. The last out-of-cycle fix was for the WMF glitch in January.
The ISC noted the patch's release Tuesday with this message on its Web site, recommending that the patch be applied "immediately (after testing) unless a suitable mitigation strategy is in place."
ISC noted that the new patch was available on Windows Update, but only for machines running Windows XP. As of mid-afternoon Tuesday, the patch was not yet live on the Microsoft Web site. For XP users, the fix will show up in Windows Update as Security Update for Windows XP (KB925486). There is no indication when a fix for Windows 2000 machines might be ready.
The flaw, which exists in all versions of IE from 5.0 onward and some versions of Outlook, lies in how the software handles malformed VML tags. An attacker who is able to send a specific kind of malicious tag can cause a buffer overflow and run arbitrary code on the targeted machine.
Information on the vulnerability, which is considered critical, had been available publicly for more than a week. Microsoft officials confirmed the problem late last week and suggested the following workarounds:
- Unregister Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1;
- Modify the access control list on Vgx.dll to be more restrictive;
- Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable binary and script behaviors in the Internet and local intranet security zone; and
- Read email messages in plain text format to help protect systems from the HTML email attack vector.
Meanwhile the Zero-Day Emergency Response Team (ZERT) and Scottsdale, Ariz.-based Patchlink Corp. released their own emergency patches.
|
