Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches VML Vulnerability

Posted by ryuzaki0 on from the not-a-moment-too-soon dept.

Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.

21 of 130 comments (clear)

  1. this patch was released before patch day? by jimstapleton · · Score: 5, Funny

    How did it affect DRM such that it encouraged MS to do this?

    --
    34486853790
    Connection too slow for X forwarding? Try "ssh -CX user@host"
  2. Vendor Reviews... by kf4lhp · · Score: 3, Funny

    Now to see how long it takes my vendors to say "OK, you can safely apply this patch."

  3. Not a bad turnaround by dynemo · · Score: 2, Interesting

    Sometimes, I feel like security researchers are intentionally disclosing their new vulnerability information as close to the "Patch Tuesday" as possible in an attempt to force Microsoft to release an out of cycle patch. This time they were successful.

    --
    "Give up hope, dreams are for suckers."
    1. Re:Not a bad turnaround by LurkerXXX · · Score: 4, Insightful

      Umm, here's a big clue for you...

      The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.

      That way they are more likely to have it expand for an entire month before MS patches it and messes up their fun.

      Security researchers generally want things secure. Virus/Worm writers don't.

    2. Re:Not a bad turnaround by LurkerXXX · · Score: 2, Insightful

      I don't think the patch tuesday was a microsoft idea. The released individually as they finished the review process for years. I think they got feedback from their large corporate customers saying it would be much easier for their admins to only have to certify and install patches in regular batches, rather than haphazardly as each became available. So I think it's microsoft's large customer's inane scheduling idea. Microsoft just accomodated what their largest customers requested. Not that I think it makes for the best securfity, but it's what the customers (the big noisy ones) asked for.

  4. Firefox not vulnerable because VML not supported? by BadAnalogyGuy · · Score: 4, Informative

    I had no idea what VML was, so I did a little digging and found the following links.

    W3C's introduction to VML: http://www.w3.org/TR/NOTE-VML

    Microsoft's brief introduction to VML: http://msdn.microsoft.com/workshop/author/vml/defa ult.asp

    Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.

  5. Re:Firefox not vulnerable because VML not supporte by Sephiroth9611 · · Score: 3, Insightful

    Of course it didn't work in Firefox. MS is not interested in creating webpages that will work in other people's browsers.

  6. Could this have something to do with... by shoolz · · Score: 4, Insightful

    ...the unofficial patch that was release by independant security specialits? A bit of a black eye for MS, no?

  7. Maybe they should have tested it more... by HaeMaker · · Score: 2, Informative

    Installing the patch crashes svchost on my system.

    1. Re:Maybe they should have tested it more... by BadAnalogyGuy · · Score: 3, Funny

      Back out that change, install Firefox, and go and sin no more.

  8. Re:Not an issue for some by toadlife · · Score: 2, Informative
    Wow your so cool.. you throw in those nice alternate browser references nice and early on - sure to be modded insightful.


    What's even cooler is that one of the browsers he mentions (Koqueror) is just as much "embedded into the OS" (i.e. uses shared libraries that if removed affect other userland programs) and IE.

    Ten bucks says he still gets modded up for it.
    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  9. Microsoft Patches IE Browser Flaw by RR074862 · · Score: 2, Funny

    The Internet Explorer patch was released early because Microsoft was concerned of the critical risk to users. The vulnerability involves the way that the browser handles Vector Markup Language (VML) graphics. Malicious hackers can exploit the flaw by creating a Web page that can download spyware or keyloggers onto a user's system.

  10. SVG not ignored by Firefox by 6031769 · · Score: 2, Informative

    SVG is not ignored by Firefox nor by Mozilla as a whole.

    HTH

    --
    Burns: We're building a casino!
    McAllister: Arrr. Give me 5 minutes.
  11. Probably not by Sycraft-fu · · Score: 4, Insightful

    They release patches for critical, out in the wild, flaws as soon as they get them certified. You have to realise that they can't just release a patch right off, by their own policy and as a matter of practise. They have to go through a rather extensive certification procedure to make sure it won't cause computers to blow up. It's similar to patches you see for other OSes like Solaris. You'll hear of a bug and they'll be a patch out, but not one form Sun. That comes a bit later, after they've had time to test it.

    You might not agree with the policy but that's how it is, and there are reasons for doing it that way. People already whine about patches breaking systems when at present it's an extremely rare occurrence (in all the cases I've encountered, said system was spywared and that was the problem). If they rushed patches out without testing and they ended up breaking things, it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.

    We are dealing with non-technical users here, remember. A patch can't include a page of instructions of things you need to check first, nor can it be assumed that if it causes a problem the user can troubleshoot and fix it. It pretty much has to work straight off, and has to do so on literally tens of millions of permutations of software and hardware configurations.

    Personally I'd like to see a compromise where they'd release an unofficial, untested patch for power users as soon as they could and the full patch later after testing. However the likely problem would be the unofficial patch would get in the wild, people would tout it as the official MS patch, something would go wrong, and they'd get blamed anyhow.

  12. Re:Not an issue for some by hal2814 · · Score: 2, Insightful

    From what I understand, being embedded into the OS is not a matter of shared libraries in this case. Some of the IE code is actaully running in kernel mode. The Konqueror broswer runs entirely in user mode from what I understand. Konqueror does call external libraries and those external libraries may enter kernel mode for a few well-defined tasks, but nothing on the level of what IE does if what I've read about IE's internals is true.

  13. XP SP2 problems by BenEnglishAtHome · · Score: 5, Informative

    I work in a large organization that push-deployed the patch asap. The result is that any XP machine sitting at Service Pack 1 level for the OS can no longer be successfully updated to SP2 without first deleting a file (c:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll on our image). Then we can install SP2, then re-install the 0-day.

    What a pain in the ass. Is everybody seeing the same trouble?

    1. Re:XP SP2 problems by Anonymous Coward · · Score: 2, Insightful

      Is everybody seeing the same trouble?

      The only trouble I am seeing is why it has taken you so long to put SP2 on [some of] your machines.

  14. Change the icon please by 140Mandak262Jamuna · · Score: 2, Funny

    MSFT fixes a bug. Then it fixes the patch. Patches the patch. So is that dead bug a good choice as an icon? Please change it to phoenix bird. It is supposed to die and come back alive from its ashes.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  15. Some clarification. by hullabalucination · · Score: 4, Informative

    VML is a standard from almost a decade ago.

    It isn't a standard, it was a submission to the W3C for consideration, by Microsoft and some of its useful idiots (HP, Macromedia, Autodesk, Visio). Submissions don't automagically get the thumbs up from the W3C. According to Wikipedia, Adobe, Sun and others submitted a proposal for a competing technology called PGML. Best features of the two technologies were then merged and improved upon to produce:

    SVG: http://www.w3.org/TR/SVG10/

    SVG became a W3C recommendation on September 4, 2001. Later versions of Opera, Firefox and some other browsers implement at least limited support for SVG. It's also a standard vector graphics creation/exchange format for many open source graphic apps like Inkscape and Scribus. Adobe Illustrator and CorelDraw also support SVG fairly capably. Guess whose browser pointedly doesn't support SVG?

    http://en.wikipedia.org/wiki/Vector_Markup_Languag e Check out the code samples. The SVG code is quite a bit more compact than its VML equivalent.

    Folks on SVG-rendering browsers (Firefox 1.5.x, Opera 8 and above) will possibly enjoy this little demonstration: http://isthis4real.com/orbit.xml

    * * * * *

    It's a small world, but I wouldn't want to have to paint it.
    —Stephen Wright

  16. It's NOT! 10/10/2006! by antdude · · Score: 2, Insightful

    Its support will expire on October 10, 2006 according to Automatic Updates service. Also, see this Microsoft Web page. It's soon, but not over yet.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  17. Quietly? by kitman420 · · Score: 2, Insightful

    Why is it that every time a patch is announced nowadays, it's announced as "X quietly releases a patch"? What? do they need fanfare or something?