Microsoft has gone outside its normal patch cycle to fix an Internet Explorer (IE) flaw that attackers have targeted with growing frequency in recent days.
The software giant released on 26 September a patch addressing the Vector Markup Language (VML) flaw, which digital miscreants have targeted via malicious Web sites, including several pornographic sites based in Russia. The attacks prompted several security organisations, including the SANS Internet Storm Center (ISC), to raise their alert status late last week.
The patch is a rare early release from Microsoft, which normally saves all security updates for the second Tuesday of each month. The last out-of-cycle fix was for the WMF glitch in January.
The ISC noted the patch's release Tuesday with this message on its Web site, recommending that the patch be applied "immediately (after testing) unless a suitable mitigation strategy is in place."
ISC noted that the new patch was available on Windows Update, but only for machines running Windows XP. As of mid-afternoon Tuesday, the patch was not yet live on the Microsoft Web site. For XP users, the fix will show up in Windows Update as Security Update for Windows XP (KB925486). There is no indication when a fix for Windows 2000 machines might be ready.
The flaw, which exists in all versions of IE from 5.0 onward and some versions of Outlook, lies in how the software handles malformed VML tags. An attacker who is able to send a specific kind of malicious tag can cause a buffer overflow and run arbitrary code on the targeted machine.
Information on the vulnerability, which is considered critical, had been available publicly for more than a week. Microsoft officials confirmed the problem late last week and suggested the following workarounds:
- Unregister Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1;
- Modify the access control list on Vgx.dll to be more restrictive;
- Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable binary and script behaviors in the Internet and local intranet security zone; and
- Read email messages in plain text format to help protect systems from the HTML email attack vector.
Meanwhile the Zero-Day Emergency Response Team (ZERT) and Patchlink released their own emergency patches.