Microsoft has gone outside its normal patch cycle to fix an
Internet Explorer (IE) flaw that attackers have
targeted with growing frequency in recent
days.
The software giant released on 26 September a patch addressing
the Vector Markup Language (VML) flaw, which digital miscreants
have targeted via malicious Web sites, including several
pornographic sites based in Russia. The attacks prompted several
security organisations, including the SANS Internet Storm Center
(ISC), to raise their alert status late last week.
The patch is a rare early release from Microsoft, which normally
saves all security updates for the second Tuesday of each month.
The last out-of-cycle fix was for the
WMF glitch in January.
The ISC noted the patch's release Tuesday with this message on
its
Web site, recommending that the patch be
applied "immediately (after testing) unless a suitable
mitigation strategy is in place."
ISC noted that the new patch was available on Windows Update,
but only for machines running Windows XP. As of mid-afternoon
Tuesday, the patch was not yet live on the Microsoft Web site. For
XP users, the fix will show up in Windows Update as Security Update
for Windows XP (KB925486). There is no indication when a fix for
Windows 2000 machines might be ready.
The flaw, which exists in all versions of IE from 5.0 onward and
some versions of Outlook, lies in how the software handles
malformed VML tags. An attacker who is able to send a specific kind
of malicious tag can cause a buffer overflow and run arbitrary code
on the targeted machine.
Information on the vulnerability, which is considered critical,
had been available publicly for more than a week. Microsoft
officials confirmed the problem late last week and suggested the
following workarounds:
- Unregister Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003 Service
Pack 1;
- Modify the access control list on Vgx.dll to be more
restrictive;
- Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable binary and script behaviors in the Internet and
local intranet security zone; and
- Read email messages in plain text format to help protect
systems from the HTML email attack vector.
Meanwhile the Zero-Day Emergency Response Team (ZERT) and
Patchlink released their own emergency patches.