Microsoft releases out-of-cycle patch for VML flaw

It had said initially that no patch would be released until next month

Microsoft Corp. today issued an out-of-cycle patch to address the Vector Markup Language (VML) vulnerability in its Internet Explorer Web browser.

The company had earlier said it would release a patch only as part of its monthly security updates for October. Those are not due out until Oct. 10.

A brief note posted on the Microsoft Security Response Center blog noted that the patch is already available through Windows Update, Microsoft Update and Autoupdate.

"We're in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST and MBSA 2.0 to the Microsoft download center and normal locations, and those should be up shortly," the blog noted.

Companies that have already disabled the VML function as a mitigation measure will first need to reverse that work-around before applying the patch, according to Microsoft's bulletin.

Hackers had been exploiting the flaw, which also affects some versions of Outlook, for more than a week, and in recent days, malicious activity had been on the upswing (see "VML threat remains, security firms warn").

The out-of-cycle release is unusual, but not unprecedented. Microsoft generally issues its security updates on the second Tuesday of every month, giving systems administrators a predictable way to set aside time to test the new software. Occasionally, the company will release patches ahead of time if a flaw is being widely exploited by attackers.

In January, the software maker patched a critical flaw in the Microsoft Windows Metafile (WMF) image-rendering engine after it became a widespread problem.

Microsoft's decision seems to be a response to growing public concerns about the potential threats posed by the unpatched vulnerability, said Johannes Ullrich, chief technology officer at the Bethesda, Md.-based SANS Internet Storm Center.

"As with WMF, this was becoming a big public relations problem for Microsoft. A lot of people were questioning why the company was waiting so long to issue a fix for it," Ullrich said.

With attack code that works on the latest version of Windows XP now publicly available, the VML bug is shaping up as a very serious concern for administrators, said Ken Dunham, the director of VeriSign Inc.'s iDefense Rapid Response Team. VML attacks have now "dwarfed the WMF activity in the same period of time compared to last year," he said.

By today, more than 3,000 Web sites were already infecting users with malware that exploited the VML bug, according to Dunham. One week into the WMF outbreak last January, iDefense saw about 600 sites exploiting the problem.

Security experts also warned that there are many variants of the VML malware, some of which may be missed by security software. Researchers at iDefense are now looking at a dozen possible variations of the VML exploit code and have confirmed the existence of seven, Dunham said. "With WMF, there wasn't nearly as much modification. We see a lot of different permutations and obfuscation techniques being utilize with VML attacks."

A group of security researchers released a patch for the VML flaw late last week, independent of Microsoft, but hackers have even found a way to take advantage of the fix.

In the past few days, they have been circulating phony e-mails, claiming to be a patch for the VML problem. If downloaded, this fake patch actually installs malicious software on the victim's system, Dunham said.

Find out more about this security hole in FAQ: What you should know now about the latest IE bug.

Robert McMillan of the IDG News Service contributed to this report.

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon