Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches VML Vulnerability

Posted by ryuzaki0 on from the not-a-moment-too-soon dept.

Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.

130 comments

  1. this patch was released before patch day? by jimstapleton · · Score: 5, Funny

    How did it affect DRM such that it encouraged MS to do this?

    --
    34486853790
    Connection too slow for X forwarding? Try "ssh -CX user@host"
    1. Re:this patch was released before patch day? by OverlordQ · · Score: 0

      How did it affect DRM such that it encouraged MS to do this?

      Well just guessing but:

      A) These people who write these patches, and the people who work on the DRM and probably not the same.
      B) This probably has alot more code that needed to be changed then the DRM fix.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:this patch was released before patch day? by notaspunkymonkey · · Score: 1

      I am guessing he was being sarcastic. but hey.. maybe I am wrong.. wouldnt be the first time.

    3. Re:this patch was released before patch day? by jimstapleton · · Score: 1

      it was pure sarcasm, meant mostly in jest, related to the comments on the previous DRM patch

      --
      34486853790
      Connection too slow for X forwarding? Try "ssh -CX user@host"
    4. Re:this patch was released before patch day? by OverlordQ · · Score: 1

      I know he might have been saying that sarcasticly, but there's alot of people on /. who think there is a conspiracy about MS putting the DRM before security patches.

      --
      Your hair look like poop, Bob! - Wanker.
    5. Re:this patch was released before patch day? by BadAnalogyGuy · · Score: 1

      More likely that the testing requirements for even a small change to something as complex and widespread as a web browser is enormous. Fixing a buffer overflow, especially when a repro case exists, isn't the hardest thing in the world. Making sure that the changes don't break anything else is quite a bit harder, especially with a product that's already entered its maintenance phase and most of the team has moved on to the next version.

    6. Re:this patch was released before patch day? by Volante3192 · · Score: 1

      The kicker though, there's been zero day exploits that weren't patched before Patch Tuesday anyway. I can fully understand the desire to test it as thoroughly as possible, so I'm not too concerned about the 8 day delay (given the quagmire of code they have to work with)

      What the surprise here is they DID release it early. This has happened only twice before, once with the Windows Meta File (back at the start of the year, http://www.informationweek.com/windows/showArticle .jhtml?articleID=175802202 ), which seemed to be under duress, and second with the DRM patch. More surprising is this one looks like it was done voluntarily.

    7. Re:this patch was released before patch day? by Anonymous Coward · · Score: 0

      There are also many who actually believe, with no mention of silly conspiracies, that such a priority on behalf of MS is a reality. Observation could be seen to support such a belief. Care to provide evidence to the contrary? Or is it more convenient for you to wave the lump-people-together-as-conspiracy-theorists card instead?

  2. Vendor Reviews... by kf4lhp · · Score: 3, Funny

    Now to see how long it takes my vendors to say "OK, you can safely apply this patch."

    1. Re:Vendor Reviews... by toadlife · · Score: 1

      If your vendor is Cisco (Unity, etc) then I would estimate....six moinths.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    2. Re:Vendor Reviews... by Anonymous Coward · · Score: 0

      It looks like the security guy at Cisco currently is too busy to send out vulnerability notices to be able to review any patches. Be patient.

  3. Yay. by Anonymous Coward · · Score: -1, Offtopic

    I've never been first to comment before, yay.

    1. Re:Yay. by Anonymous Coward · · Score: 0

      And you still aren't! ZOMGROFLAMOWTFBBQLOL!!!111one

  4. Not an issue for some by smooth+wombat · · Score: -1, Redundant
    This security flaw was being aggressively exploited out in the wild.


    Only if you use Internet Explorer. For the rest of us, there's Firefox, Opera, Konqueror and other browsers which aren't embedded in the OS and so don't allow such nonsense to affect our systems.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re:Not an issue for some by notaspunkymonkey · · Score: 0, Troll

      Wow your so cool.. you throw in those nice alternate browser references nice and early on - sure to be modded insightful. Your comment was a waste of energy - it was an IE fix - and everyone here.. even the editors know that you don't have that problem unless your running windows.. idiot.

    2. Re:Not an issue for some by gbjbaanb · · Score: 1

      and only if tyou use IE6. If you have IE7 beta installed, you're safe.

    3. Re:Not an issue for some by toadlife · · Score: 2, Informative
      Wow your so cool.. you throw in those nice alternate browser references nice and early on - sure to be modded insightful.


      What's even cooler is that one of the browsers he mentions (Koqueror) is just as much "embedded into the OS" (i.e. uses shared libraries that if removed affect other userland programs) and IE.

      Ten bucks says he still gets modded up for it.
      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    4. Re:Not an issue for some by Red+Flayer · · Score: 1
      Your comment was a waste of energy - it was an IE fix - and everyone here.. even the editors know that you don't have that problem unless your running windows.. idiot.
      Wow, ur so kewl 2! You can point out when someone is making an obvious point, but then completely blow it when you refer to running windows as if the OP had commented on it being a Windows-only vulnerability... when the OP only referred to other browsers, not other OSs.

      Flame on, if you like, but having something more useful or amusing to add to the conversation would be great -- instead of the bitter rantings of an idiot with a superiority complex.

      Now, if you'll excuse me, I've got to figure out where I put my Hypocrasy Merit Badge.
      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    5. Re:Not an issue for some by GreggBz · · Score: 1

      I need a break from this place.

      It's like a when your Commodore 64 locked up, and it keept making that same horrible floppy drive noise over and over and over again..

    6. Re:Not an issue for some by mshmgi · · Score: 1

      I'd be willing to bet that Mac OS X/Linux users would have a lot more security problems if we used "SoftwareUpdate.app" (in the case of OS X) or "sudo apt-get" (in the case of Linux) as our default web browser.

      Thankfully, only Microsoft has been daft enough to use a single piece of software to both browse the web and tinker w/ the core of the operating system.

      Until somebody in Redmond decides to develop a standalone app for system updates and limits IE to being a web browser ONLY, Windows users will continue to be plagued by this crap.

    7. Re:Not an issue for some by hal2814 · · Score: 2, Insightful

      From what I understand, being embedded into the OS is not a matter of shared libraries in this case. Some of the IE code is actaully running in kernel mode. The Konqueror broswer runs entirely in user mode from what I understand. Konqueror does call external libraries and those external libraries may enter kernel mode for a few well-defined tasks, but nothing on the level of what IE does if what I've read about IE's internals is true.

    8. Re:Not an issue for some by plague3106 · · Score: 1

      Some of the IE code is actaully running in kernel mode.

      Reference please?

    9. Re:Not an issue for some by toadlife · · Score: 1

      "Some of the IE code is actaully running in kernel mode"

      Can you define "Kernel Mode". Googling, I see this, which if is what you are talking about, tells me that you are wrong, because exploits in IE have no ability to gain priviledge higher than the user's.

      These are the things I know from experience:

      * Exploits that hit IE gain the priviledges of the user. Since most Windows users run as administrator, the priviledges are generally unlimited, but if the user is running as a restricted user, the exploit can not doing anything that the user can't do. This is standard for any userland program.

      * IE can be completely neutered by denying access to a few key dlls. This will break certain other components of the OS, but contrary to many claims, will not cause Windows to be unusable, or unstable. Things that break when you neuter IE in this way are the help and support center (which is a glorified IE shell), and certain functionality in explorer.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    10. Re:Not an issue for some by Richard_at_work · · Score: 1

      No, IE does not run in kernel mode in any way shape or form, its a common misconception. khtml is a lot more like mshtml.dll than people would like to admit.

    11. Re:Not an issue for some by Anonymous Coward · · Score: 0
      From what I understand, being embedded into the OS is not a matter of shared libraries in this case. Some of the IE code is actaully running in kernel mode.
      You understand wrong.

      The "integration into the OS" is that Internet Explorer is tied to Explorer, the Windows Shell. Absolutely nothing of Internet Explorer is running in kernelspace.
    12. Re:Not an issue for some by hal2814 · · Score: 1, Interesting

      "The "integration into the OS" is that Internet Explorer is tied to Explorer, the Windows Shell."

      Which is part of the window manager which according to this image from microsoft.com has been run in kernel mode since NT 4.0 (Article ref). If that weren't the case, then Explorer could not hang the window manager (which it sometimes does).

    13. Re:Not an issue for some by toadlife · · Score: 1

      In WindowsXP you can run `wuauclt /detectnow` which causes the Windows Update client to check for updates immediately. From there you can install udpates after the little icon pops up in your system tray. This is not perfect, but it does mean you don't have to use IE. In Windows Vista the update function has it's own control panel app and updating via the browser is not possible.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    14. Re:Not an issue for some by borgboy · · Score: 1

      Please explain how the diagram you cite shows Explorer to run in the Executive.

      --
      meh.
    15. Re:Not an issue for some by Anonymous Coward · · Score: 0

      By that logic, all software runs in kernelspace, because all software talks to the kernel.

      The problem with IE is ActiveX, and the fact that its users are almost all Administrators, not that it's integrated with Explorer, which is part of the window manager, which talks to the kernel.

    16. Re:Not an issue for some by toadlife · · Score: 0
      Which is part of the window manager which according to this image from microsoft.com has been run in kernel mode since NT 4.0 (Article ref).


      Yes, the "Window manager". The equivalent of that in *nix would be X, which runs also in kernel mode. Your point?

      If that weren't the case, then Explorer could not hang the window manager (which it sometimes does).


      Explorer does not have the ability to arbitrily "hang the Window manager" in Windows. If the system has buggy drivers or what not, the "Window manager" can certainly hang itself though. I realize that the Window manager and GDI running in kernel mode has the potential to make WIndows less reliable than other OS's, but it has nothing to do with Internel Explorer, or Explorer.
      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    17. Re:Not an issue for some by toadlife · · Score: 1

      "By that logic, all software runs in kernelspace, because all software talks to the kernel."

      Oh crap. You're right. I'm no expert, but do you think we could mitigate this risk but using an OS with no kernel?

      Hurd maybe?

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    18. Re:Not an issue for some by rodgster · · Score: 1

      I enforced normal users for all desktop users. Myself included. Some poorly designed apps like quickbooks still require Power User. Some other poorly developed apps still require admin e.g. UPS Ship.

      I've looked @ the nonadmin site (yours????) before and I don't see the dll security setting you reference (to neuter IE).

      Would you mind spoon feeding me?

      Thanks,

      --
      Who will guard the guards?
    19. Re:Not an issue for some by mshmgi · · Score: 1

      The problem isn't that MS doesn't offer a non-IE way to conduct system updates. The problem is that MS allows IE to conduct system updates in the first place. 85% of the world's population uses IE as their default browser. It doesn't matter if there exists an alternate method for updating the OS. What matters is that 85% of the world is using their OS update utility as a web browser - that's just scary.

    20. Re:Not an issue for some by toadlife · · Score: 1

      We use UPS world ship. It ships with a little program you can run that will make it work for regular users. It's in the program directory (normally C:\ups I think). I don't remember the name of the utility and the computers I know run it are not on, so I can';t find it right now. Browse the program directory and look at the .exe files and you should be able to find it. Run it as an administrator and your users will be able to use the program without any special rights.

      As for diabling IE, I can't remember the dlls. I found them by running process explorer and looking at which dlls IE used. One of them is "mshtml.dll". Deny "everyone" access to that dll and I'mmpretty sure IE will puke when you try and use it. I personally don't bother, because IMO IE is not as huge a security threat if you practice other more important secuirty practices - such as running as a non-admin, or simply choosing not to use it.

      The non-admin site is not mine. I've just contributed to it.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    21. Re:Not an issue for some by toadlife · · Score: 1

      Uhhh. Any browser could be used to do system updates using java applet. Microsoft's just happens to use ActiveX instead of Java.

      The scary part is not that people use the browser in that way. It's that people run with root-level access, which allows them to use their browser in that way.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    22. Re:Not an issue for some by toadlife · · Score: 1

      Also, you mentioned quickbooks. This too can be fixed easily to work for regular users by modifying a few permisions. The vendor of Quickbooks has a KB article on their website that explains how to fix it.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    23. Re:Not an issue for some by Anonymous Coward · · Score: 0

      The difference is, remove Konqueror from your system, and KDE won't go boom. Remove IE from the oldstyle Win98 & have an unusable system. Konqueror is just another program that uses KDE/QT core libraries. Nothing critical in itself. And those libraries are installed (on my FC5 system, anyways) seperate from Konq.

    24. Re:Not an issue for some by Anonymous Coward · · Score: 0

      > The equivalent of that in *nix would be X, which runs also in kernel mode. Your point?

      Uh ? X runs in kernel mode ? Nonsense !

    25. Re:Not an issue for some by Ooble · · Score: 1

      You'll be happy to know Vista uses a standalone app to manage Windows Updates.

    26. Re:Not an issue for some by paralaxcreations · · Score: 1

      And the scarier part is that even when they WANT to run as regular users (which entails creating a new user since the default user is an adminstrator. This is something most Windows users don't know how to do because they don't know why they need to do it), they'll find that most of their software no longer runs.

      Compare to...any other OS: they tell you right off the bat "hey, you probably don't want to run as administrator. Here, let me make you a limited account that you should use to access your computer. It will work just fine for most of your needs, trust me."

      Now excuse me while I find my tinfoil hat and try to figure out why exactly MS wants us to all run as admins.

    27. Re:Not an issue for some by toadlife · · Score: 1

      Uh ? X runs in kernel mode ? Nonsense !

      It's runs with root-level permisions, and the drivers run in kernel mode.

      What exactly is nonsense?

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    28. Re:Not an issue for some by Anonymous Coward · · Score: 0

      Windows 98?

      Should we bring up Slackware 96 issues too?

    29. Re:Not an issue for some by argel · · Score: 1
      Since most Windows users run as administrator, the priviledges are generally unlimited.

      Actually, the Administrator is a highly priveleged account but it doesn't have unlimited access (e.g. cannot get into the SAM part of the registry). The account with the most privileges (and the closest equivalent to root on UNX/Linux) is the NTAuthority/System account. Keep this in mind when checking which account services are running under. Think about e.g. your web server running with more access to the system than even the administrator has (which is how it used to be IIS and may still be -- I don't use W2K3 Server). The easiest way to become the System account is to schedule an interactive cmd.exe to run using the at command (or soon if you still have it).

      --

      -- Argel
    30. Re:Not an issue for some by Anonymous Coward · · Score: 0

      root-level != kernel mode (root-level = ring3, kernel mode = ring0)

      video drivers!=X (or you could say that *every* app runs in kernel mode)
      No X window manager don't run in kernel mode.
      Not long ago, there were no part of X running in the kernel (drivers were compiled in the server).
      Now some of the video drivers are in the linux kernel.
      There are a lot of platform where X have no kernel-level drivers.

      In NT4, microsoft moved the GDI in the kernel. *That* is a totally different thing.

    31. Re:Not an issue for some by toadlife · · Score: 1

      Thanks, I knew this.

      While admin is not quote as all-powerfull as SYSTEM, it does have the ability gain the permissions of SYSTEM, so it may as well be "all-powerfull".

      FYI, IIS6 runs as a less priviledged account now. The more sensitve parts of it run as an account with virtually no privileges. I huge improvement over IIS5.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    32. Re:Not an issue for some by toadlife · · Score: 1

      "video drivers!=X (or you could say that *every* app runs in kernel mode)"

      Yeah, you're right.

      You will have to forgive me, as I got caught following the logic of the parent.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    33. Re:Not an issue for some by soulhuntre · · Score: 1

      God you zealots really and truly are your own worst enemies.

      --
      --> Fight tyranny and repression.... read /. at -1!
    34. Re:Not an issue for some by makomk · · Score: 1

      What's even cooler is that one of the browsers he mentions (Koqueror) is just as much "embedded into the OS" (i.e. uses shared libraries that if removed affect other userland programs) and IE.

      I think Microsoft is partly to blame for this misconception - the way they claimed in their anti-trust case that IE was part of the OS wasn't exactly helpful. (However, note that all the libraries that Konqueror uses that if removed affect other parts of KDE are in a completely separate package - kdelibs - and have to be installed separately from Konqueror, whereas IE's bundled into the same installer as the associated libraries and Microsoft doesn't want you to separate them.)

      Oddly, Konqueror has a pretty good security record so far, though that could be because not many people are looking for holes. (Of course, the reason IE has so many security holes is more due to ActiveX than to any of its other integration with the OS - lots of (sometimes third-party) controls and libraries that weren't designed with protection against malicious code in mind but can be used by webpages.)

    35. Re:Not an issue for some by Anonymous Coward · · Score: 0

      No problem. It is nice to answer to AC, anyway.

      The parent is indeed confused.

      Explorer don't run in kernel, and Internet Explorer don't run in kernel either.

      But GDI runs (partialy) in the kernel, and *that* is a bad design decision (dating form NT4).

      X have (traditionally) no kernel part. Some unix kernel have video drivers, which X can use.

      X now have DRI, which have kernel parts, but that is similar to saying that DirectX have kernel parts.

      Have a nice day!

      (Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.

      It's been 23 minutes since you last successfully posted a comment)

  5. Not a bad turnaround by dynemo · · Score: 2, Interesting

    Sometimes, I feel like security researchers are intentionally disclosing their new vulnerability information as close to the "Patch Tuesday" as possible in an attempt to force Microsoft to release an out of cycle patch. This time they were successful.

    --
    "Give up hope, dreams are for suckers."
    1. Re:Not a bad turnaround by Anonymous Coward · · Score: 0

      You got this one backwards. This was an in-the-wild exploit that security experts found. Microsoft was then notified, and started their effort. The ZERT folks then came out with their own patch for the problem. Microsoft then released the "official" patch.

    2. Re:Not a bad turnaround by LurkerXXX · · Score: 4, Insightful

      Umm, here's a big clue for you...

      The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.

      That way they are more likely to have it expand for an entire month before MS patches it and messes up their fun.

      Security researchers generally want things secure. Virus/Worm writers don't.

    3. Re:Not a bad turnaround by TheOtherChimeraTwin · · Score: 1
      The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.

      I'm a little surprised they don't unleash their nasties on Monday, before Patch Tuesday. It isn't like Microsoft could make corrections that quickly.

    4. Re:Not a bad turnaround by Bogtha · · Score: 1

      Security researchers generally want things secure.

      Disclosing vulnerabilities at the least convenient time for Microsoft accomplishes this - in the long run - by discouraging Microsoft from continuing their inane scheduling. If every security researcher published straight after Patch Tuesday, Microsoft would have no option but to give it up.

      --
      Bogtha Bogtha Bogtha
    5. Re:Not a bad turnaround by LurkerXXX · · Score: 2, Insightful

      I don't think the patch tuesday was a microsoft idea. The released individually as they finished the review process for years. I think they got feedback from their large corporate customers saying it would be much easier for their admins to only have to certify and install patches in regular batches, rather than haphazardly as each became available. So I think it's microsoft's large customer's inane scheduling idea. Microsoft just accomodated what their largest customers requested. Not that I think it makes for the best securfity, but it's what the customers (the big noisy ones) asked for.

  6. Firefox not vulnerable because VML not supported? by BadAnalogyGuy · · Score: 4, Informative

    I had no idea what VML was, so I did a little digging and found the following links.

    W3C's introduction to VML: http://www.w3.org/TR/NOTE-VML

    Microsoft's brief introduction to VML: http://msdn.microsoft.com/workshop/author/vml/defa ult.asp

    Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.

  7. Re:Firefox not vulnerable because VML not supporte by Sephiroth9611 · · Score: 3, Insightful

    Of course it didn't work in Firefox. MS is not interested in creating webpages that will work in other people's browsers.

  8. Could this have something to do with... by shoolz · · Score: 4, Insightful

    ...the unofficial patch that was release by independant security specialits? A bit of a black eye for MS, no?

    1. Re:Could this have something to do with... by BadAnalogyGuy · · Score: 1

      A couple things about that.

      First, if users install a foreign version of VML.DLL via the Heise patch (I don't know the details of that patch), then they run the risk of flagging their software as "non-genuine" and may lose the ability to get further updates from WindowsUpdate. From Microsoft's point of view, they don't want the headache of dealing with these users who broke the genuineness of their software, so getting a patch out quickly to head it off at the pass is in their best interest.

      Second, if the Heise patch simply unregisters the VML dll, then the browser's featureset has been reduced. This is not a fix. It is a workaround, and it causes loss of functionality (albeit very rarely used functionality).

      I don't know why they released so early, but it is possible that a 3rd party patch which they are unable to verify the safety of may prompt them to do so.

    2. Re:Could this have something to do with... by Anonymous Coward · · Score: 0

      If you don't know any details about the unofficial patch, why are you blowing smoke out of your arse on the subject?

      Takes less time to learn the particulars about the zeroday patch than it does to write your hand-waving, content-free post

  9. Re:Firefox not vulnerable because VML not supporte by BadAnalogyGuy · · Score: 1

    VML is a standard from almost a decade ago. Firefox wasn't even on their radar in 1998.

  10. Re:Firefox not vulnerable because VML not supporte by OverlordQ · · Score: 0


    Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.

    VML isn't a standard, it was rejected by the W3C.

    Given how Firefox ignores things like MNG and SVG, not surprised they didn't implement VML.

    --
    Your hair look like poop, Bob! - Wanker.
  11. sigh - roll my eyes by Anonymous Coward · · Score: -1, Offtopic

    All your base belong to us. You stupid Winsuckers.

    Mods: mark everyone else redundant.

  12. Re:Firefox not vulnerable because VML not supporte by BadAnalogyGuy · · Score: 1

    Thanks for that information. From just the brief search I ran, I was under the impression it was already approved (and simply unimplemented).

    Do you have a link?

  13. Maybe they should have tested it more... by HaeMaker · · Score: 2, Informative

    Installing the patch crashes svchost on my system.

    1. Re:Maybe they should have tested it more... by Anonymous Coward · · Score: 0

      e-mail them and strongly complain, partly because it might force a better patch, and partly because it'll make them look stupid

    2. Re:Maybe they should have tested it more... by BadAnalogyGuy · · Score: 3, Funny

      Back out that change, install Firefox, and go and sin no more.

    3. Re:Maybe they should have tested it more... by Anonymous Coward · · Score: 0

      They can't win! First people want patches for security holes. Then they want the patches as soon as possible. Then they want patches that don't introduce new security holes. Then they want patches that don't corrupt data. And now they want patches that don't crash other programs! It's tough being Microsoft.

    4. Re:Maybe they should have tested it more... by j79zlr · · Score: 1

      The installation failed on my work PC running Windows 2000. I checked the installation logs and manually editted the permissions on this registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\VGXUpdate Using regedt32.exe set full control to administrators and system users.

      --
      I'm not not licking toads.
  14. Microsoft Patches IE Browser Flaw by RR074862 · · Score: 2, Funny

    The Internet Explorer patch was released early because Microsoft was concerned of the critical risk to users. The vulnerability involves the way that the browser handles Vector Markup Language (VML) graphics. Malicious hackers can exploit the flaw by creating a Web page that can download spyware or keyloggers onto a user's system.

    1. Re:Microsoft Patches IE Browser Flaw by truthsearch · · Score: 1

      The Internet Explorer patch was released early because Microsoft was concerned of the critical risk to users.

      I see by your ID (over 1 million, congrats /.!) that you're new here. So we'll let this comment go with just a laugh. Microsoft... caring about... users... hahaha....

      --
      Developers: We can use your help.
    2. Re:Microsoft Patches IE Browser Flaw by Shawn+is+an+Asshole · · Score: 1

      It's more likley that they found a way to use the exploit to bypass their DRM, which gives it more of a priority...

      --
      "It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
  15. Re:Reviews... by RR074862 · · Score: 1

    A good move from Microsoft.I guess it's time to kill the Cyber criminals that are known to be using the bug to install keyloggers, adware and spyware and take over Windows PCs. Thank You Microsoft.

  16. SVG not ignored by Firefox by 6031769 · · Score: 2, Informative

    SVG is not ignored by Firefox nor by Mozilla as a whole.

    HTH

    --
    Burns: We're building a casino!
    McAllister: Arrr. Give me 5 minutes.
  17. Good for them. by Grendel+Drago · · Score: 1

    Good for them, doing the right thing here and all.

    It's kind of funny how the security bulleting reads "Vulnerability in Vector Markup Language Could Allow Remote Code Execution". We're not saying that it does, but we think it's possible.

    Gee. Ya think?

    --
    Laws do not persuade just because they threaten. --Seneca
    1. Re:Good for them. by solevita · · Score: 0

      I think that's better than saying "Vulnerability in Vector Markup Language Does Allow Remote Code Execution", after all, just having the vulnerability doesn't mean that code will be executed. You still have to run IE and visit a malicious website.

      Imagine a PC with no network conection at all - a vulnerability in VML is not going to lead to remote code execution.

    2. Re:Good for them. by makomk · · Score: 1

      Of course, even that's still better than "Vulnerability in Vector Markup Language Used For Malicious Remote Code Execution", which is equally true.

  18. Probably not by Sycraft-fu · · Score: 4, Insightful

    They release patches for critical, out in the wild, flaws as soon as they get them certified. You have to realise that they can't just release a patch right off, by their own policy and as a matter of practise. They have to go through a rather extensive certification procedure to make sure it won't cause computers to blow up. It's similar to patches you see for other OSes like Solaris. You'll hear of a bug and they'll be a patch out, but not one form Sun. That comes a bit later, after they've had time to test it.

    You might not agree with the policy but that's how it is, and there are reasons for doing it that way. People already whine about patches breaking systems when at present it's an extremely rare occurrence (in all the cases I've encountered, said system was spywared and that was the problem). If they rushed patches out without testing and they ended up breaking things, it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.

    We are dealing with non-technical users here, remember. A patch can't include a page of instructions of things you need to check first, nor can it be assumed that if it causes a problem the user can troubleshoot and fix it. It pretty much has to work straight off, and has to do so on literally tens of millions of permutations of software and hardware configurations.

    Personally I'd like to see a compromise where they'd release an unofficial, untested patch for power users as soon as they could and the full patch later after testing. However the likely problem would be the unofficial patch would get in the wild, people would tout it as the official MS patch, something would go wrong, and they'd get blamed anyhow.

    1. Re:Probably not by Feyr · · Score: 1

      / it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.

      that's already the case, even if they HAVE improved in recent years. there's still the stigma associated with patches that seriously broke systems in nt4 and 2k

      the only reason i don't worry about patches breaking my (windows) systems is because they're not critical enough to warrant it just let the auto update do its job. my linux servers, on the other hand, get tested thoroughly before deploying anything major.as much as i'd like to feel smug and say "haha this doesn't happen with linux!!!!" it's just not true, and oftentimes an apt-get upgrade will break something

  19. Re:Firefox not vulnerable because VML not supporte by OverlordQ · · Score: 1

    Just what I found on WikiPedia, that and there doesn't seem to be any followup on the W3C site past the initial submission for consideration.

    --
    Your hair look like poop, Bob! - Wanker.
  20. actually not yet in the Index by Anonymous Coward · · Score: 0

    Actually, the patch is NOT yet in the Security Bulletin Index as of this time. The patch is out there, but the link in the bulletin index isn't there right now. Hopefully, that web page will be updated soon.

    1. Re:actually not yet in the Index by Uncle+Rummy · · Score: 1

      You're right, of course. What I submitted originally read "...The patch was publicly available yesterday, but Microsoft hasn't yet added it to the Security Bulletin Index." I added that bit specifically because it's puzzling that MS would release such a critical patch but not tell anybody. Don't ask me why kdawson saw fit to change it to the innacurate version that got posted.

  21. XP SP2 problems by BenEnglishAtHome · · Score: 5, Informative

    I work in a large organization that push-deployed the patch asap. The result is that any XP machine sitting at Service Pack 1 level for the OS can no longer be successfully updated to SP2 without first deleting a file (c:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll on our image). Then we can install SP2, then re-install the 0-day.

    What a pain in the ass. Is everybody seeing the same trouble?

    1. Re:XP SP2 problems by Christopher_G_Lewis · · Score: 1, Interesting

      Why oh why in the world do you still have machines at SP1?

      What's the name of your organization. I'd like to make sure I don't have any of your stock.

      --
      www.christopherlewis.com
    2. Re:XP SP2 problems by plague3106 · · Score: 1, Interesting

      SP1 isn't supported anymore, so I don't know why you're still running it. At any rate, I would install SP2 before going off to install other patches anyway...

    3. Re:XP SP2 problems by Anonymous Coward · · Score: 2, Insightful

      Is everybody seeing the same trouble?

      The only trouble I am seeing is why it has taken you so long to put SP2 on [some of] your machines.

    4. Re:XP SP2 problems by BenEnglishAtHome · · Score: 1

      You don't have any stock in us.

      Why do we have any left at SP1? I could be flip and say it's because we relied on Tivoli to update them, but I won't go there. Basically, we updated about 100K machines and are hunting down the last few hundred, mostly laptops belonging to people who spend all their time in the field and try to never come into the office where they can be updated. (Among our old-timers, it's a real badge of honor to brag that they haven't been in the office in 6 months.) Internal politics prevents us from simply locking those people off the network; we have to chase them down and say please. For any organization-wide update, there are always a few like that.

    5. Re:XP SP2 problems by Anonymous Coward · · Score: 0

      Becuase in the real world you can't always keep everything up to date. Where I work we finally phased out Win9x less than a year ago! We still have 2K machines on SP2. We have a lot of XP SP1 machines. Everything we put out is up to date, but we have a LOT of users and no real authority to force updates on them. In those rare cases where we have forced updates the fucking patches have ended up breaking things - most recently there was an IE patch that broke Siebel. It was a critical patch so we got special permission to force it onto everyone and then it blew up in our face. Never going to happen again.

    6. Re:XP SP2 problems by Shawn+is+an+Asshole · · Score: 1

      Why are you trying to update SP1 to SP2? If it's for new installations, you really should learn about Slipstreaming. It's really easy to do.

      In fact, here is a script that will not only splipstream in SP2, but all critical updates automatically:

      http://smithii.com/?q=node/12

      --
      "It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
    7. Re:XP SP2 problems by Anonymous Coward · · Score: 0

      It is the IRS, what do you expect?

    8. Re:XP SP2 problems by Christopher_G_Lewis · · Score: 1

      Nice to know that the IRS has the same Tivoli issues that we do at Bank of America :-)

      We *finally* got a GateKeeper system up and running on our VPN for AV and critical patches. Took an act of the CIO to get the traders to agree to this...

      Now please don't audit me :-)

      --
      www.christopherlewis.com
    9. Re:XP SP2 problems by Joe+The+Dragon · · Score: 1

      http://www.ryanvm.net/msfn/ does the same thing
      also use http://www.driverpacks.net/ to add drivers

    10. Re:XP SP2 problems by BenEnglishAtHome · · Score: 1

      Interestingly, we have two software distribution systems here. One is Tivoli. The higherups have spent millions and it's damn well gonna get used, whether it works or not.

      The other is a little program named M2 that runs at startup, checks a list in a specified directory, compares it to a local server, and applies anything available on the server that applies to your type of machine. You don't start work until it finishes. Works like a charm. Solid as a rock. Cost us nothing because it was written by one of our guys. Beats the hell out of Tivoli.

      Why don't we use it for everything? Tivoli does a couple of things it doesn't; M2 *only* distributes software. Mainly, though, it's politics. Our most powerful user group refuses to use M2 because when a large update of any sort comes through, the boot process can take a while. Their attitude is that the time of their people is too valuable to wait for a long boot. Without their buy-in, we'll never be able to get any large, all-user patch installed on any sort of reasonably compressed schedule.

      Frustrating as hell.

      Not quite as frustrating as 5 years ago when we took our last major user group off of pure-Unix laptops and put them on Windows, but close.

    11. Re:XP SP2 problems by Anonymous Coward · · Score: 0

      Seriously, if you're having issues applying SP2 after installing the security update, contact Microsoft PSS. From the lack of comments here, it seems that there may be something particular about your environment that is contributing. I'd imagine that the .gov you work for already has a Premier contract, and even if you don't, you're opening a ticket about applying a security update (& service pack), so you shouldn't get charged for the ticket.

    12. Re:XP SP2 problems by AmberBlackCat · · Score: 1

      I think your pain in the ass comes from the idiot who decided to wait this long to upgrade to Service Pack 2. I've despised Microsoft for a long time, but at least I have legitimate reasons for it. Bashing them for not releasing patches, and then bashing them for releasing patches just seems stupid to me. I suppose I'll get modded as a troll again, but lately that seems like a compliment here.

  22. ZERT fix and FAQ entry written too by jjMick · · Score: 1
    There was a 3rd party fix from Zeroday Emergency Response Team http://isotf.org/zert/ (ZERT) available too and FAQ document written: http://www.securityfocus.com/bid/20096/references

    FAQ document here: http://blogs.securiteam.com/?p=640

  23. Change the icon please by 140Mandak262Jamuna · · Score: 2, Funny

    MSFT fixes a bug. Then it fixes the patch. Patches the patch. So is that dead bug a good choice as an icon? Please change it to phoenix bird. It is supposed to die and come back alive from its ashes.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  24. Some clarification. by hullabalucination · · Score: 4, Informative

    VML is a standard from almost a decade ago.

    It isn't a standard, it was a submission to the W3C for consideration, by Microsoft and some of its useful idiots (HP, Macromedia, Autodesk, Visio). Submissions don't automagically get the thumbs up from the W3C. According to Wikipedia, Adobe, Sun and others submitted a proposal for a competing technology called PGML. Best features of the two technologies were then merged and improved upon to produce:

    SVG: http://www.w3.org/TR/SVG10/

    SVG became a W3C recommendation on September 4, 2001. Later versions of Opera, Firefox and some other browsers implement at least limited support for SVG. It's also a standard vector graphics creation/exchange format for many open source graphic apps like Inkscape and Scribus. Adobe Illustrator and CorelDraw also support SVG fairly capably. Guess whose browser pointedly doesn't support SVG?

    http://en.wikipedia.org/wiki/Vector_Markup_Languag e Check out the code samples. The SVG code is quite a bit more compact than its VML equivalent.

    Folks on SVG-rendering browsers (Firefox 1.5.x, Opera 8 and above) will possibly enjoy this little demonstration: http://isthis4real.com/orbit.xml

    * * * * *

    It's a small world, but I wouldn't want to have to paint it.
    —Stephen Wright

    1. Re:Some clarification. by DerPflanz · · Score: 1

      In my work, I created a SVG-based SCADA-like package. I had to build it to run in Adobe's SVG Viewer, because the native Firefox and Opera implementations couldn't run it. Note that I wrote the whole thing with the W3C docs in my hand, not with trial-and-error in the plugin.

      The Firefox implementation misses critical things (the viewbox has some problems) and it is very heavy and slow, compared to Adobe's implementation. The Adobe plugin works right in IE, crashes in Firefox under Windows. Firefox in Linux has to use the beta version.

      I like SVG and what you can do with it, but the implementations should get better, much better (think Flash-like performance and possibilities; it's all in the standard) to catch on and be that Flash-killer it is supposed to be.

      --
      -- The Internet is a too slow way of doing things, you'd never do without it.
  25. Maybe you should tell us more by Anonymous Coward · · Score: 0

    If you want to be helpfull rather than biatching and moaing, you could tell the configuration of the system that's having the problem.

    Seeing as how I've applied this patch to about 20 machines running Win2K, XP Home, XP Pro, Win2k Svr, Win 2k3 Svr 32-b, and Win 2k3 Svr 64-b, all without any ill effects...

  26. Fixed last week by raind · · Score: 1

    Thanks to these folks: http://isotf.org/zert/

    --
    Get up!
  27. if browserid NOT Equal TO IEXP, mangle.page .. by rs232 · · Score: 1

    "Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser

    Interesting enough the page layout is displayed correctly if Firefox changes User Agent ID to Internet Explorer 6. Under default Firefox ID it displays as a drap one page layout. Why does Microsoft mangle its own pages if viewed under a non MS browser.

    if ($browserid!=IEXP) { mangle.page(); else display.page(); }

    was: Firefox not vulnerable because VML not supported?

    --
    davecb5620@gmail.com
  28. Cant install this or a few other patches..help? by SteveXE · · Score: 1

    For some reason this and 3 other "Critical" patches refuse to install on my system. I've been verified genuine and gone through the MS tech support hoops to no avail. The install always fails and gives me a generic error code. Here are the patches I need but cant get no matter what I do, if anyone knows a possible solution I wont complain.

    Security Update for Windows XP (KB917344)
    Cumulative Security Update for Internet Explorer for Windows XP (KB918899)
    Security Update for Windows XP (KB925486)

    1. Re:Cant install this or a few other patches..help? by Dog-Cow · · Score: 1

      I went through MS tech support to get WU working on an XP machine, and I saved all the emails in the event that the problem came up again. Send a note to avi.slashdot@mail.ashevin.com and I'll be glad to share them with you.

  29. If only... by Vexler · · Score: 1

    ...they release their operating systems as quickly as they do their security patches. Eight days from the first report to a working patch? That's working fast!

  30. microsoft too late again? by pk073900 · · Score: 1

    yeah thanks to zert for stepping in with the fix. microsoft did not have "time" to release a patch. for what i understand microsoft only released the patch a few days after the third party patch appeared online. coincidence or what? with microsoft being reluctant to change their monthly update cycle. attackers have taken advantage of this. i cant understand why they are reluctant to do this. microsoft just let their users systems be vulnerable and unprotected for several weeks until the new patch is updated. to me this is a concern especially now when zero-day vulnerabilities wont be left alone by the attackers. microsoft should do better to protect their users.

  31. Firefox & VML by Anonymous Coward · · Score: 0

    So, talking theoretically....

    If someone where to have a Firefox cache file that was infected by Bloodhound / The VML vuln. would there be any concern for that user?

  32. It's NOT! 10/10/2006! by antdude · · Score: 2, Insightful

    Its support will expire on October 10, 2006 according to Automatic Updates service. Also, see this Microsoft Web page. It's soon, but not over yet.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    1. Re:It's NOT! 10/10/2006! by Anonymous Coward · · Score: 0

      Before you listen to any more drivel by 'AntDude', take a look at who you're dealing with: http://pbx.mine.nu/antdude.jpg. The abortion in the center is 'AntDude'. I won't even get into discussion about him listing his 'sex' as 'female' on his SHITTY 'blog' (aqfl.net). This faggot has nothing better to do than sit on the internet and spew worthless garbage. He's the new LostCluster when it comes to posting utterly worthless tripe. Not to mention his submitted stories! Every single one of his last 10 or so submissions have been tagged as 'lame' or 'slownewsday'. Why does taco even bother posting his shit. Maybe he gets some tiny deformed chinese cock up his taco ass in exchange for some linkspam with google ads? Do the world a favor and never reply to comments from ANTDUDE and mark him as a FOE.

    2. Re:It's NOT! 10/10/2006! by makomk · · Score: 1

      This AC troll hasn't been modded down yet? Must be a slow moderation day. (Oh, and needless to say, the grandparent poster is correct...)

    3. Re:It's NOT! 10/10/2006! by Anonymous Coward · · Score: 0

      Go away already.

  33. the first rule of slashdot by weierstrass · · Score: 1

    when moaning about slashdot, make sure you mention your girlfriend

    if you don't have a girlfriend, mention that you used to have an 8-bit computer

    --
    my password really is 'stinkypants'
  34. Error codes / "only 8 days" by mackyrae · · Score: 1

    I just want to point out that ALL error codes on Windows are "generic". My computer switched into 640x480 with 8-bit color and it told me "there was an error" like it wasn't really obvious.

    I can't really help you though.

    So, MS takes "only" 8 days to release a patch, and Firefox gets patches out in a day...which seems better: having exploits running around for over a week being hacked at or having it fixed immediately?

    --
    look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
  35. Quietly? by kitman420 · · Score: 2, Insightful

    Why is it that every time a patch is announced nowadays, it's announced as "X quietly releases a patch"? What? do they need fanfare or something?

    1. Re:Quietly? by Uncle+Rummy · · Score: 1

      Quietly as in Microsoft apparently hasn't done any of the things they normally do when they release an offcycle patch, especially for a critical vulnerability with multiple known exploits in the wild and ample media coverage thereof.

      I haven't seen an email notification from Microsoft for this patch yet, and it still hasn't been listed in their Security Bulletin Index (and when I submitted the article, it said as much - for some bizarro reason kdawson decided to change it to the innacurate text stating that it *is* listed in the index before he posted the article).

      For this type of patch, it should indeed be accompanied by enough fanfare to make people aware that it exists, especially since it comes well off the established monthly Microsoft patch cycle.

    2. Re:Quietly? by Anonymous Coward · · Score: 0

      If releasing it to Windows Update isn't enough notice to Windows users of its presence then I fault everyone but MS. Lose the "quietly" as it makes one suspect of such postings.

  36. Re:Firefox not vulnerable because VML not supporte by Anonymous Coward · · Score: 0

    Surely you're trolling? It's not exactly a well-kept secret that Firefox supports SVG.

  37. VML's real name by springbox · · Score: 1

    I knew it! It's Vulnerable Markup Language!

  38. Re:Firefox not vulnerable because VML not supporte by Anonymous Coward · · Score: 0

    Gonna roll the dice before I follow the Wikipedia link:

    Virus Markup Language?

    Vulnerability Markup Language?

    Virtual Messy Layer?

  39. Wow by Anonymous Coward · · Score: 0

    The above poster got modded up three times for posting something that is 100% wrong.

    It certainly pays to be an ignorant Microsoft basher on Slashdot.

  40. And even Flash isn't fool-proof. by hullabalucination · · Score: 1

    but the implementations should get better, much better (think Flash-like performance and possibilities; it's all in the standard)

    I think Opera is way ahead of the Mozilla folks on the SVG implementation. That being said, I understand Firefox 2.x will implement SVG 1.1 stuff, like scripting. How well will it implement the new features? Pretty poorly at first, I'm sure. My needs are for basic multimedia implementations, like getting SVG to animate and sync with an audio file. Which is why I'm particularly interested in:

    SMIL: http://www.w3.org/AudioVideo/ Internet Explorer and RealPlayer implement some or all of the current SMIL specs, Firefox hasn't even heard of it, Opera is said to be a bit buggy. I'm hoping this catches on in a big way, but I'm not holding my breath.

    Oh, and Flash can be very buggy on Linux. A real estate broker client of mine had his company Website done. It was done almost completely in Flash...barely 6 lines of HTML on the entire site (of course I'm being hyperbolic but not by much). Renders swell on Windows, but for me the entire right half of his property description page just simply disappears. Mid-word, mid-photo. Very strange. I'm guessing a white rectangle is getting rendered above where it should be (wrong Z-index in HTML terms...I don't do Flash so I don't know Flash's terminology). He was livid when I showed him what his Website looked like on my monitor, and Adobe doesn't seem to be in a big hurry to update the Flash plugins for Linux.

    One thing I do like about using a scripting language to animate DOM objects in HTML (the current SVG way) is that your "bounding box" can be larger than the browser's display window. Meaning that you can have objects move into the display from off-screen (done this in the past on a development site; will be doing this on a redesign of my company's site). Perhaps you can do this with Flash as well, but I've never seen it. Flash almost always gives me the feeling of looking through a small porthole that appears as a very obvious child window of the browser's parent; manipulating DOM objects via a scripting language means the entire browser window (and beyond) is my canvas to play with and there's no "porthole" effect. I like that.

    * * * * *

    An advertising agency is 85 percent confusion and 15 percent commission.
    —Fred Allen

  41. VML Patched by Microsoft! by shiyun074238 · · Score: 1

    Typical download size: 250 KB , less than 1 minute
    A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it.
    You can help protect your computer by installing this update from Microsoft.
    After you install this item, you may have to restart your computer.
    Check Windowsupdate

    1. Re:VML Patched by Microsoft! by shiyun074238 · · Score: 1

      Wrong URL --> WindowsUpdate

  42. equation by K-074512 · · Score: 1

    worm = a self-replicating computer program. It uses a network to send copies of itself to other systems and it may do so without any user intervention through the network.

    virus = a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user.

    patch = a small piece of software designed to update or fix problems with a computer program. This includes fixing bugs, replacing graphics and improving the usability or performance.

    exploit = a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to gain control of a computer system or allow privilege escalation or a denial of service attack

    Computer security = a field of computer science concerned with the control of risks related to computer use.



    virus or worm writer = genius.

    MS = put people into misery and make profit out of it.

  43. Let check it out.. by PK073897 · · Score: 1

    As we noticed a lot of cyber-criminals will be exploiting in any time..I've done some reseaching and interestingly I've found one alternative besides firewall, anti-virus and anti-spyware (which can't solve this problems ).. Do check it out.. http://www.explabs.com/ss/index.html I think this one can really helps us!!

    1. Re:Let check it out.. by TT074304 · · Score: 1

      Hunh....sooner or later this program will also being exploted....go figure!!!

  44. Re:Firefox not vulnerable because VML not supporte by it074809 · · Score: 1

    I also have not much understanding on VML but i know it is kind of buffer overflow.. result from my surfing, VML is a remote code execution vulnerability, exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

  45. why this affect IE? by PK073891 · · Score: 1

    Although this the windows vulnerability, IE and outlook still affected because Internet Explorer and Outlook use the vulnerable library of Windows operating system (so-called VML component) when rendering Vector Markup Language graphics. But not all internet browser are affected because this vulnerability affects only to Internet Explorer. Additionally, other browsers using the rendering component of Internet Explorer, e.g. Avant Browser, are affected.Other Internet browsers, like Mozilla Firefox, Netscape and Opera use a different technique known as Scalable Vector Graphics (SVG). The following Windows versions have been confirmed as vulnerable: Windows XP (Professional and Home Edition) Service Pack 1 and Service Pack 2 Windows 2000 (Professional and Server) Service Pack 4 Windows 2003 Server The following OS's are vulnerable as well, but they are not supported any more: Windows 95 Windows 98 and 98SE Windows Me Windows NT

  46. patch.. by azman075918 · · Score: 1

    This patch should be released earlier.

  47. Faster than a speeding bullet: Microsoft patches V by tt074321 · · Score: 1
    When it comes to writing about Microsoft's security vulnerabilities, I never know what type of feedback to expect in the discussion. Sometimes the response is loud and clear: we know what we're doing, so we'll happily wait for the patch. Other times, it's the exact opposite: Microsoft better do something quick. And when it came to the Zeroday Emergency Response Team (ZERT) taking the initiative to repair Internet Explorer's Vector Markup Language (VML) vulnerability, I wasn't let down--the majority sentiment surprisingly echoed MrCatbert's initial comment: "Go Zert!"

    While it's quite possible that many of you decided to install ZERT's fix, I decided to wait for Microsoft's patch, especially because it was supposed to arrive before the October 10 deadline. Now, the company has not only released the patch early, but it appears to have bested the previous company record of an 8-day turnaround on a vulnerability. Starting on September 19, the VML bug took seven days to fix. Microsoft's Scott Deacon attributes the breakneck turnaround time to teamwork, saying via the MSRC blog, "Through some really top notch effort by all our testing teams, we were able to reach our quality bar far sooner than we originally anticipated. Yesterday we really became confident in our final checklists that we could release it and so we have done so."

    The security bulletin for the new fix is MS06-055. If you've modified VGX.DLL in order to protect your system from possible exploits, Microsoft's advises that you undo the change before applying MS06-055. Otherwise, the patch may not work. In other security news, Microsoft's Craig Gehre has announced that MS06-049 has been re-released.