With attackers finding new ways to exploit a critical flaw in Internet Explorer, Microsoft today released a patch for the problem, ahead of its next scheduled round of security updates.
The patch fixes a critical vulnerability in the way Internet Explorer renders VML (Vector Markup Language) graphics. Hackers had been exploiting the flaw, which also affects some versions of Outlook, for more than a week, and in recent days malicious activity had been on the upswing. Microsoft Security Bulletin MS06-055 discusses the problem and the patch. The out-of-cycle release is unusual, but not unprecedented.
The Microsoft patch is available on Windows Update as I write. Also, if you’re more curious, SecuriTeam Blogs has a FAQ with all you’ll ever need to to know about the background of the VML exploit.
Update: Ryan Naraine’s Microsoft’s Out-of-Band IE Patch: A Little Too Late? has this disconcerting news:
“This reminds me so much of the WMF attacks earlier this year,” said Roger Thompson, chief technology officer at Exploit Prevention Labs, in Atlanta. “It came out of left field, ran undetected for a week or three, and by the time the official, emergency patch came out, the damage was done.”
“In eight days, the bad guys replenished their botnets, made their money and moved on to the next zero-day. Now the industry is struggling to clean up and chase the copycats,” Thompson said.