Hunter Strategies LLC logo

Microsoft News Tracker

What's more interesting than observing Microsoft?

September 26, 2006

Microsoft releases early patch for VML exploit

Posted by David Hunter at 6:50 PM ET.

Microsoft decided not to wait for October’s Patch Tuesday to release a fix for the particularly nasty VML exploit for Internet Explorer that I mentioned on Sunday. Robert McMillan at PCWorld:

With attackers finding new ways to exploit a critical flaw in Internet Explorer, Microsoft today released a patch for the problem, ahead of its next scheduled round of security updates.

The patch fixes a critical vulnerability in the way Internet Explorer renders VML (Vector Markup Language) graphics. Hackers had been exploiting the flaw, which also affects some versions of Outlook, for more than a week, and in recent days malicious activity had been on the upswing. Microsoft Security Bulletin MS06-055 discusses the problem and the patch. The out-of-cycle release is unusual, but not unprecedented.

The Microsoft patch is available on Windows Update as I write. Also, if you’re more curious, SecuriTeam Blogs has a FAQ with all you’ll ever need to to know about the background of the VML exploit.

Update: Ryan Naraine’s Microsoft’s Out-of-Band IE Patch: A Little Too Late? has this disconcerting news:

“This reminds me so much of the WMF attacks earlier this year,” said Roger Thompson, chief technology officer at Exploit Prevention Labs, in Atlanta. “It came out of left field, ran undetected for a week or three, and by the time the official, emergency patch came out, the damage was done.”

“In eight days, the bad guys replenished their botnets, made their money and moved on to the next zero-day. Now the industry is struggling to clean up and chase the copycats,” Thompson said.

Filed under Internet Explorer, Microsoft, Office, Patch Tuesday, Security

Related posts:


One Response to “Microsoft releases early patch for VML exploit”

  1. Another bad week for Microsoft’s patching efforts -- Microsoft News Tracker Says:

    [...] First Microsoft had to rush out a patch for a zero-day exploit that couldn’t wait until October’s monthly “patch Tuesday.” Then came word that the pesky author of FairUse4WM had once again bypassed Microsoft’s Digital Rights Management. That would be more than bad enough for most weeks, but it turns out that it was just the beginning: [...]

News Search:

Recent Posts:

Daily Digest Email:

Enter your Email

Powered by FeedBlitz


Full category list


Archive List

RSS Feed:

HunterStrat Links:


  • Powered by WordPress.