Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches VML Vulnerability

Posted by ryuzaki0 on from the not-a-moment-too-soon dept.

Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.

6 of 130 comments (clear)

  1. Firefox not vulnerable because VML not supported? by BadAnalogyGuy · · Score: 4, Informative

    I had no idea what VML was, so I did a little digging and found the following links.

    W3C's introduction to VML: http://www.w3.org/TR/NOTE-VML

    Microsoft's brief introduction to VML: http://msdn.microsoft.com/workshop/author/vml/defa ult.asp

    Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.

  2. Maybe they should have tested it more... by HaeMaker · · Score: 2, Informative

    Installing the patch crashes svchost on my system.

  3. Re:Not an issue for some by toadlife · · Score: 2, Informative
    Wow your so cool.. you throw in those nice alternate browser references nice and early on - sure to be modded insightful.


    What's even cooler is that one of the browsers he mentions (Koqueror) is just as much "embedded into the OS" (i.e. uses shared libraries that if removed affect other userland programs) and IE.

    Ten bucks says he still gets modded up for it.
    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  4. SVG not ignored by Firefox by 6031769 · · Score: 2, Informative

    SVG is not ignored by Firefox nor by Mozilla as a whole.

    HTH

    --
    Burns: We're building a casino!
    McAllister: Arrr. Give me 5 minutes.
  5. XP SP2 problems by BenEnglishAtHome · · Score: 5, Informative

    I work in a large organization that push-deployed the patch asap. The result is that any XP machine sitting at Service Pack 1 level for the OS can no longer be successfully updated to SP2 without first deleting a file (c:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll on our image). Then we can install SP2, then re-install the 0-day.

    What a pain in the ass. Is everybody seeing the same trouble?

  6. Some clarification. by hullabalucination · · Score: 4, Informative

    VML is a standard from almost a decade ago.

    It isn't a standard, it was a submission to the W3C for consideration, by Microsoft and some of its useful idiots (HP, Macromedia, Autodesk, Visio). Submissions don't automagically get the thumbs up from the W3C. According to Wikipedia, Adobe, Sun and others submitted a proposal for a competing technology called PGML. Best features of the two technologies were then merged and improved upon to produce:

    SVG: http://www.w3.org/TR/SVG10/

    SVG became a W3C recommendation on September 4, 2001. Later versions of Opera, Firefox and some other browsers implement at least limited support for SVG. It's also a standard vector graphics creation/exchange format for many open source graphic apps like Inkscape and Scribus. Adobe Illustrator and CorelDraw also support SVG fairly capably. Guess whose browser pointedly doesn't support SVG?

    http://en.wikipedia.org/wiki/Vector_Markup_Languag e Check out the code samples. The SVG code is quite a bit more compact than its VML equivalent.

    Folks on SVG-rendering browsers (Firefox 1.5.x, Opera 8 and above) will possibly enjoy this little demonstration: http://isthis4real.com/orbit.xml

    * * * * *

    It's a small world, but I wouldn't want to have to paint it.
    —Stephen Wright