Evolution of the September VML flaw
Just days after Patch Tuesday, Microsoft announced a new Internet Explorer flaw that could potentially allow attackers to crash or take control of a system. The high danger level of the flaw, which affects vector markup language, caused the company to release an out-of-cycle fix for the vulnerability this past week. While the release marked only the second time this year Microsoft has made a patch available outside of Patch Tuesday, it is hardly the first circumstance of a patch emergency involving Web applications such as Internet Explorer.
Early recommendations suggested that IT admins mitigate the flaw by only allowing trusted Web sites to run ActiveX controls until a formal patch was issued later. Microsoft originally planned to release a fix this upcoming Patch Tuesday (October 10th). However, attacks against the flaw continued to grow and Microsoft was forced to release the out-of-cycle patch earlier this week.
Prepare yourself for Web vulnerabilities
Since the beginning of 2006, IE and other Web applications have certainly received their share of time in the patching spotlight. In fact, the only other out-of-cycle patch release from Microsoft this year dealt with an exploit targeting Windows Metafile Format files that users accessed in Internet Explorer. So what about Web applications makes them so dangerous that they receive such special attention? Prepare for the next time a vulnerability arises in your Web applications by checking out this series of Web security tips and guides.
Web vulnerability defense
Tip 1: Web Browser Security Learning Guide
Tip 2: Security risks in IE 6
Tip 3: Understanding IPsec identity and authentication options
Tip 4: Adjusting security settings in Internet Explorer 6.0
Tip 5: Step-by-Step Guide: Securing Web servers
Tip 6: Running Web Applications in ISA Server
Tip 7: Upgrading and patching Firefox
