Microsoft started distributing on Tuesday an emergency patch for a flaw in Internet Explorer, eight days after security researchers noticed that online attackers were using the previously unknown vulnerability to compromise systems.
The patch fixes the flawed way in which Internet Explorer handles the Vector Markup Language (VML), a proposed standard for coding vector graphics into XML. Attacks using the flaw were detected eight days before the patch, on September 18, by Sunbelt Software, although other security companies may have independently discovered the issue. Over the weekend, attackers used another zero-day exploit--this time in a Web application known as cPanel--to compromise Web sites and send visitors to a rogue page that hosted the attack code.
"A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows," the company said in a security bulletin released on Tuesday. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
A group of security researchers, concerned over the lack of a patch, had previously released a third-party fix.
Microsoft's regularly schedule day for releasing patches is the second Tuesday of the month. However, attacks using the VML flaw appeared only a week after the company had released its September updates, leaving the software giant with a choice of releasing an out-of-cycle patch or waiting more than three weeks to fix its security mistake. The time Microsoft took to fix the flaw--eight days--is the same amount of time the company took to fix a previous vulnerability in how the operating system handled the Windows Meta Format.
Posted by: Robert Lemos