05:08 PM
Don't Miss The All Analytics Academy: Analytics for All - A Right Start
Jun 07, 2016
Whether your organization is considering the use of big data and analytics, or has taken its first ...Read More>>

Microsoft Posts VML Patch Two Weeks Early

Microsoft issued a patch for a critical Internet Explorer vulnerability that's been exploited for more than a week. It's only the second time this year that the company has broken from its regular security update schedule.

Microsoft on Tuesday broke with its regular security update schedule for only the second time this year to issue a patch for a critical Internet Explorer vulnerability that's been exploited for more than a week.

MS06-055 provides a fix for the flaw in IE 5.01 and IE 6.0, Microsoft said in the accompany bulletin, and should be applied immediately. The Redmond, Wash. developer pegged the bug as "Critical," its most dire warning, for editions of IE running on Windows 2000, Windows XP, and Windows Server 2003 machines. Windows Server 2003 SP1 is at slightly less risk.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," the bulletin read. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The vulnerability exists in IE's rendering of Vector Markup Language (VML) code, an extension of XML that defines Web images in vector graphics format. First reported last Tuesday by Sunbelt Software, the vulnerability was quickly leveraged by attackers to plant large quantities of adware, spyware, and other malware on attacked PCs. Within days, a working exploit had been added to WebAttacker, a Russian-created "kit" sold to hackers.

Although Microsoft indicated last week that it might issue a patch before Oct. 10, it gave no warning Tuesday that it would release a fix. MS06-055 is only the second 2006 update to debut outside the normal second-Tuesday-of-the-month schedule; the first was a fix issued Jan. 5 to quash a widely-exploited bug in the Windows Metafile image format.

One possible fly in the update ointment: Microsoft warned users that users who had earlier applied a Microsoft-sanctioned workaround -- one of the few sanctioned defensive measures available while the company worked on a fix -- might not be able to install the Tuesday patch.

"If the workaround 'Modify the Access Control List on Vgx.dll to be more restrictive' has been applied, the security updates provided with this security bulletin may not install correctly," Microsoft said. It told users they should first reverse the workaround by re-registering the Vgx.dll.

In a side note on its blog, the Microsoft Security Response Team also said that the MS06-049 update originally issued Aug. 8 would be re-released Tuesday.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.