Microsoft patches IE flaw early

Article

Microsoft patches IE flaw early

Dennis Fisher, Executive Editor
This article originally appeared on SearchSecurity.com.

Microsoft went outside its normal patch cycle Tuesday to fix an Internet Explorer (IE) flaw attackers have targeted

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchEnterpriseDesktop.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseDesktop.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

with growing frequency in recent days.

The software giant released a patch addressing the Vector Markup Language (VML) flaw, which digital miscreants have targeted via malicious Web sites, including several pornographic sites based in Russia. The attacks prompted several security organizations, including the Bethesda, Md.-based SANS Internet Storm Center (ISC), to raise their alert status late last week.

The patch is a rare early release from Microsoft, which normally saves all security updates for the second Tuesday of each month. The last out-of-cycle fix was for the WMF glitch in January.

The ISC noted the patch's release Tuesday with this message on its Web site, recommending that the patch be applied "immediately (after testing) unless a suitable mitigation strategy is in place."

ISC noted that the new patch was available on Windows Update, but only for machines running Windows XP. As of mid-afternoon Tuesday, the patch was not yet live on the Microsoft Web site. For XP users, the fix will show up in Windows Update as Security Update for Windows XP (KB925486). There is no indication when a fix for Windows 2000 machines might be ready.

The flaw, which exists in all versions of IE from 5.0 onward and some versions of Outlook, lies in how the software handles malformed VML tags. An attacker who is able to send a specific kind of malicious tag can cause a buffer overflow and run arbitrary code on the targeted machine.

Information on the vulnerability, which is considered critical, had been available publicly for more than a week. Microsoft officials confirmed the problem late last week and suggested the following workarounds:

  • Unregister Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1;
  • Modify the access control list on Vgx.dll to be more restrictive;
  • Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable binary and script behaviors in the Internet and local intranet security zone; and
  • Read email messages in plain text format to help protect systems from the HTML email attack vector.

Meanwhile the Zero-Day Emergency Response Team (ZERT) and Scottsdale, Ariz.-based Patchlink Corp. released their own emergency patches.