05:08 PM

Microsoft Posts VML Patch Two Weeks Early

Microsoft issued a patch for a critical Internet Explorer vulnerability that's been exploited for more than a week. It's only the second time this year that the company has broken from its regular security update schedule.

Microsoft on Tuesday broke with its regular security update schedule for only the second time this year to issue a patch for a critical Internet Explorer vulnerability that's been exploited for more than a week.

MS06-055 provides a fix for the flaw in IE 5.01 and IE 6.0, Microsoft said in the accompany bulletin, and should be applied immediately. The Redmond, Wash. developer pegged the bug as "Critical," its most dire warning, for editions of IE running on Windows 2000, Windows XP, and Windows Server 2003 machines. Windows Server 2003 SP1 is at slightly less risk.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," the bulletin read. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The vulnerability exists in IE's rendering of Vector Markup Language (VML) code, an extension of XML that defines Web images in vector graphics format. First reported last Tuesday by Sunbelt Software, the vulnerability was quickly leveraged by attackers to plant large quantities of adware, spyware, and other malware on attacked PCs. Within days, a working exploit had been added to WebAttacker, a Russian-created "kit" sold to hackers.

Although Microsoft indicated last week that it might issue a patch before Oct. 10, it gave no warning Tuesday that it would release a fix. MS06-055 is only the second 2006 update to debut outside the normal second-Tuesday-of-the-month schedule; the first was a fix issued Jan. 5 to quash a widely-exploited bug in the Windows Metafile image format.

One possible fly in the update ointment: Microsoft warned users that users who had earlier applied a Microsoft-sanctioned workaround -- one of the few sanctioned defensive measures available while the company worked on a fix -- might not be able to install the Tuesday patch.

"If the workaround 'Modify the Access Control List on Vgx.dll to be more restrictive' has been applied, the security updates provided with this security bulletin may not install correctly," Microsoft said. It told users they should first reverse the workaround by re-registering the Vgx.dll.

In a side note on its blog, the Microsoft Security Response Team also said that the MS06-049 update originally issued Aug. 8 would be re-released Tuesday.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.