Microsoft Hastens IE Flaw Fix

Widely available exploit prompts fast response

Microsoft Corp.’s decision last week to issue an out-of-cycle patch for an Internet Explorer flaw appears to have squelched concerns about widespread system disruptions resulting from the vulnerability.

The flaw occurs in the way IE browsers handle Vector Markup Language (VML) graphics and could give attackers complete control of compromised systems.

The flaw was first reported by Sunbelt Software Inc. in Clearwater, Fla., on Sept. 18, and attempts to exploit it began soon afterward.

Concerns began mounting when exploit code targeting the vulnerability started becoming available publicly through hacking sites such as xsec.org, milw0rm.com and the public domain Metasploit Project.

Adding to the concern, VeriSign Inc.’s iDefense unit reported last week that more than 1,800 Web domain hosting servers had been hijacked via a previous hack and then used to redirect users to Web sites hosting VML exploits.

A ‘Political Decision’

Microsoft insisted that actual attacks and customer impact were limited. But it decided to release the patch ahead of its usual monthly schedule because of the existence of public exploit code, the company said in a statement.

The early fix was more of a “political decision than anything else,” said Hugh McArthur, director of information systems security at Online Resources Corp., an online bill-processing firm in Chantilly, Va. “But kudos to Microsoft for getting it out so quick.”

McArthur added that even before Microsoft made the patch available, “a lot of the controls that folks already have in place effectively dealt with” the VML flaw. “It was an issue that needed to be addressed, but certainly I think it was overhyped,” he said.

A security manager at a Utah-based credit union who asked to remain anonymous said his company deployed the VML patch soon after it was released, as is routine practice. “I’m happy with early releases so long as they test these things out before releasing them so it doesn’t crash our systems,” he said.

For Microsoft, this is the second time this year it has issued a fix ahead of its usual monthly schedule. In January, the company had to quickly provide a patch for a flaw in its Windows Metafile (WMF) function after exploits began circulating widely.

As with the WMF flaw, a third-party group of security researchers — in this case, Zero-Day Emergency Response Team, or ZERT — rushed out a VML patch ahead of Microsoft’s own in response to growing customer concern.

“As with WMF, this was becoming a big public relations problem for Microsoft,” said Johannes Ullrich, chief technology officer at the SANS Institute’s Internet Storm Center in Bethesda, Md. “A lot of people were questioning why the company was waiting so long to issue a fix for it.”

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon