Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches VML Vulnerability

Posted by ryuzaki0 on from the not-a-moment-too-soon dept.

Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.

7 of 130 comments (clear)

  1. this patch was released before patch day? by jimstapleton · · Score: 5, Funny

    How did it affect DRM such that it encouraged MS to do this?

    --
    34486853790
    Connection too slow for X forwarding? Try "ssh -CX user@host"
  2. Firefox not vulnerable because VML not supported? by BadAnalogyGuy · · Score: 4, Informative

    I had no idea what VML was, so I did a little digging and found the following links.

    W3C's introduction to VML: http://www.w3.org/TR/NOTE-VML

    Microsoft's brief introduction to VML: http://msdn.microsoft.com/workshop/author/vml/defa ult.asp

    Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.

  3. Could this have something to do with... by shoolz · · Score: 4, Insightful

    ...the unofficial patch that was release by independant security specialits? A bit of a black eye for MS, no?

  4. Re:Not a bad turnaround by LurkerXXX · · Score: 4, Insightful

    Umm, here's a big clue for you...

    The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.

    That way they are more likely to have it expand for an entire month before MS patches it and messes up their fun.

    Security researchers generally want things secure. Virus/Worm writers don't.

  5. Probably not by Sycraft-fu · · Score: 4, Insightful

    They release patches for critical, out in the wild, flaws as soon as they get them certified. You have to realise that they can't just release a patch right off, by their own policy and as a matter of practise. They have to go through a rather extensive certification procedure to make sure it won't cause computers to blow up. It's similar to patches you see for other OSes like Solaris. You'll hear of a bug and they'll be a patch out, but not one form Sun. That comes a bit later, after they've had time to test it.

    You might not agree with the policy but that's how it is, and there are reasons for doing it that way. People already whine about patches breaking systems when at present it's an extremely rare occurrence (in all the cases I've encountered, said system was spywared and that was the problem). If they rushed patches out without testing and they ended up breaking things, it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.

    We are dealing with non-technical users here, remember. A patch can't include a page of instructions of things you need to check first, nor can it be assumed that if it causes a problem the user can troubleshoot and fix it. It pretty much has to work straight off, and has to do so on literally tens of millions of permutations of software and hardware configurations.

    Personally I'd like to see a compromise where they'd release an unofficial, untested patch for power users as soon as they could and the full patch later after testing. However the likely problem would be the unofficial patch would get in the wild, people would tout it as the official MS patch, something would go wrong, and they'd get blamed anyhow.

  6. XP SP2 problems by BenEnglishAtHome · · Score: 5, Informative

    I work in a large organization that push-deployed the patch asap. The result is that any XP machine sitting at Service Pack 1 level for the OS can no longer be successfully updated to SP2 without first deleting a file (c:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll on our image). Then we can install SP2, then re-install the 0-day.

    What a pain in the ass. Is everybody seeing the same trouble?

  7. Some clarification. by hullabalucination · · Score: 4, Informative

    VML is a standard from almost a decade ago.

    It isn't a standard, it was a submission to the W3C for consideration, by Microsoft and some of its useful idiots (HP, Macromedia, Autodesk, Visio). Submissions don't automagically get the thumbs up from the W3C. According to Wikipedia, Adobe, Sun and others submitted a proposal for a competing technology called PGML. Best features of the two technologies were then merged and improved upon to produce:

    SVG: http://www.w3.org/TR/SVG10/

    SVG became a W3C recommendation on September 4, 2001. Later versions of Opera, Firefox and some other browsers implement at least limited support for SVG. It's also a standard vector graphics creation/exchange format for many open source graphic apps like Inkscape and Scribus. Adobe Illustrator and CorelDraw also support SVG fairly capably. Guess whose browser pointedly doesn't support SVG?

    http://en.wikipedia.org/wiki/Vector_Markup_Languag e Check out the code samples. The SVG code is quite a bit more compact than its VML equivalent.

    Folks on SVG-rendering browsers (Firefox 1.5.x, Opera 8 and above) will possibly enjoy this little demonstration: http://isthis4real.com/orbit.xml

    * * * * *

    It's a small world, but I wouldn't want to have to paint it.
    —Stephen Wright