[Infowarrior] - Microsoft rushes out 'critical' fix

Wed Sep 27 14:20:26 EDT 2006

Microsoft rushes out 'critical' fix

By Joris Evers
http://news.com.com/Microsoft+rushes+out+critical+fix/2100-1002_3-6119752.ht
ml

Story last modified Wed Sep 27 05:00:05 PDT 2006

Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks
before its scheduled release date.

The company is breaking with its monthly patch cycle to fix a flaw that
cybercrooks have been using to attack Windows PCs via Internet Explorer.
Malicious software can be loaded, unbeknownst to the user, onto a vulnerable
Windows PC when the user clicks on a malicious link on a Web site or in an
e-mail message.

"This was an excellent move on the part of Microsoft, and we're pleased to
see them respond to the concerns of the security community," Alex
Eckelberry, president of anti-spyware toolmaker Sunbelt Software, said in an
e-mail interview. Sunbelt had been monitoring attacks that exploit the flaw,
which it said have been increasing.

The vulnerability, first reported last week, lies in a Windows component
called "vgx.dll." This component is meant to support Vector Markup Language
documents in the operating system. VML is used for high-quality vector
graphics on the Web and is used for viewing pages in the IE browser that is
part of Windows. Microsoft deems the flaw "critical," its highest severity
rating.

"An attacker could exploit the vulnerability by constructing a specially
crafted Web page or HTML e-mail that could potentially allow remote code
execution if a user visited the Web page or viewed the message," Microsoft
said in security bulletin MS06-055. E-mail messages that use HTML, or
HyperText Markup Language, look like a Web page.

The vulnerability does not apply to IE 7, the upcoming version of IE that is
available right now in a pre-release form, Microsoft said.

Microsoft typically releases fixes each second Tuesday of the month, which
has become known as Patch Tuesday. The last time the software maker rushed
out a fix was in January, when another image-related flaw in IE was being
used to compromise Windows PCs through malicious Web sites.

Security experts had pushed Microsoft to rush out a fix for the VML flaw. A
group of security professionals even crafted an unofficial fix for the
problem, which was released on Friday.

"Exploitation has already eclipsed that of the last out-of-cycle patch,"
said Ken Dunham, director of the rapid response team at VeriSign's iDefense.
"It appears that there were several million domains that were redirecting to
malicious VML sites."

Microsoft's security update is being pushed out to Windows users via
Automatic Updates and will also be available on Windows Update.