Microsoft releases out-of-cycle patch for Internet Explorer VML flaw

Microsoft this afternoon released a rare out-of-cycle patch designed to fix a much publicized zero-day Internet Explorer vulnerability caused by an error in the processing of vector markup language (VML).

MS06-055 addresses the critical flaw, which has been responsible for attacks on about 1,800 servers within 45 large networks, said Ken Dunham, director of the Rapid Response Team at VeriSign iDefense. More than 3,000 unique attacks occurred in the first four days of the flaw, which first appeared last week.

"The official patch is out," Dunham, whose firm worked with Microsoft on the fix, told SCMagazine.com today. "In my mind, I felt it was imminent. I felt attacks would increase through this week and automated attacks likely would increase as this thing gets popularized on the underground."

The vulnerability can lead to remote code execution that can install a wide array of financially motivated malware on a user's system, including keylogger trojans and spyware, just by visiting an infected website. The flaw also has been responsible for Visa phishing and Yahoo e-card attacks, Dunham said. At the vulnerability's peak last Thursday and Friday, up to three million websites contained iFrame links that redirected users to the five or six sites that actually hosted the exploit.

"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," reads part of the MS06-055 advisory, released this afternoon. "An attacker could then install programs; view, change or delete data or create new accounts with full user rights. We recommend that customers apply the update immediately."

Microsoft had planned to address the problem on Oct. 10, the date of its next scheduled security bulletin release, but the Redmond, Wash. software giant was "aware of the existence of a public attack utilizing the vulnerability," a company spokesman said in an e-mail to SCMagazine.com

"Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers," the spokesman said. "Microsoft's monitoring of attack data continues to indicate that the attacks and customer impact is limited, however Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."

MS-0655 - the first out-of-cycle patch since a Windows metafile (WMF) flaw plagued users late last year - comes four days after the Zeroday Emergency Response Team (ZERT) released its third-party fix. Dunham said many organizations will continue to deploy the ZERT patch until they finish testing the Microsoft update.

"This will help to mitigate a lot of the attacks," Dunham said of the Microsoft fix. "But this will be a long-term, persistent issue like WMF. If you're a script kiddie, you'll use it. If you're more sophisticated, you'll throw it into your bag of tricks. It will be the low-hanging fruit picked by a lot of the hackers on the internet, so you better patch."

Click here to email Dan Kaplan.

Sign up to our newsletters