Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches VML Vulnerability

Posted by ryuzaki0 on from the not-a-moment-too-soon dept.

Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.

9 of 130 comments (clear)

  1. Re:Firefox not vulnerable because VML not supporte by Sephiroth9611 · · Score: 3, Insightful

    Of course it didn't work in Firefox. MS is not interested in creating webpages that will work in other people's browsers.

  2. Could this have something to do with... by shoolz · · Score: 4, Insightful

    ...the unofficial patch that was release by independant security specialits? A bit of a black eye for MS, no?

  3. Re:Not a bad turnaround by LurkerXXX · · Score: 4, Insightful

    Umm, here's a big clue for you...

    The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.

    That way they are more likely to have it expand for an entire month before MS patches it and messes up their fun.

    Security researchers generally want things secure. Virus/Worm writers don't.

  4. Probably not by Sycraft-fu · · Score: 4, Insightful

    They release patches for critical, out in the wild, flaws as soon as they get them certified. You have to realise that they can't just release a patch right off, by their own policy and as a matter of practise. They have to go through a rather extensive certification procedure to make sure it won't cause computers to blow up. It's similar to patches you see for other OSes like Solaris. You'll hear of a bug and they'll be a patch out, but not one form Sun. That comes a bit later, after they've had time to test it.

    You might not agree with the policy but that's how it is, and there are reasons for doing it that way. People already whine about patches breaking systems when at present it's an extremely rare occurrence (in all the cases I've encountered, said system was spywared and that was the problem). If they rushed patches out without testing and they ended up breaking things, it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.

    We are dealing with non-technical users here, remember. A patch can't include a page of instructions of things you need to check first, nor can it be assumed that if it causes a problem the user can troubleshoot and fix it. It pretty much has to work straight off, and has to do so on literally tens of millions of permutations of software and hardware configurations.

    Personally I'd like to see a compromise where they'd release an unofficial, untested patch for power users as soon as they could and the full patch later after testing. However the likely problem would be the unofficial patch would get in the wild, people would tout it as the official MS patch, something would go wrong, and they'd get blamed anyhow.

  5. Re:Not an issue for some by hal2814 · · Score: 2, Insightful

    From what I understand, being embedded into the OS is not a matter of shared libraries in this case. Some of the IE code is actaully running in kernel mode. The Konqueror broswer runs entirely in user mode from what I understand. Konqueror does call external libraries and those external libraries may enter kernel mode for a few well-defined tasks, but nothing on the level of what IE does if what I've read about IE's internals is true.

  6. Re:XP SP2 problems by Anonymous Coward · · Score: 2, Insightful

    Is everybody seeing the same trouble?

    The only trouble I am seeing is why it has taken you so long to put SP2 on [some of] your machines.

  7. It's NOT! 10/10/2006! by antdude · · Score: 2, Insightful

    Its support will expire on October 10, 2006 according to Automatic Updates service. Also, see this Microsoft Web page. It's soon, but not over yet.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  8. Quietly? by kitman420 · · Score: 2, Insightful

    Why is it that every time a patch is announced nowadays, it's announced as "X quietly releases a patch"? What? do they need fanfare or something?

  9. Re:Not a bad turnaround by LurkerXXX · · Score: 2, Insightful

    I don't think the patch tuesday was a microsoft idea. The released individually as they finished the review process for years. I think they got feedback from their large corporate customers saying it would be much easier for their admins to only have to certify and install patches in regular batches, rather than haphazardly as each became available. So I think it's microsoft's large customer's inane scheduling idea. Microsoft just accomodated what their largest customers requested. Not that I think it makes for the best securfity, but it's what the customers (the big noisy ones) asked for.