News

Microsoft Releases Out-of-Cycle Patch for VML Flaw

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

Microsoft Corp. released an out-of-cycle patch for a critical vulnerability in Windows and IE relating to Vector Markup Language.

"A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows," reads the Microsoft Security Bulletin posted today about the flaw. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message."

According to Microsoft, today's patch fixes the problem, but the company also offers a number of "workaround" suggestions, including certain IE configurations and adjusting ISA Server to block VMA traffic.

Microsoft recommends that the patch be applied immediately.

Symantec reported earlier this month that the flaw is "zero-day," in that code exploiting the flaw in IE is live and circulating the Web. Details can be found here.

Microsoft credited IIS X-Force, iDEFENSE and Dan Hubbard at the Websense Security Labs for working help in discovering the flaw.

The company normally waits until its regularly scheduled patch release day -- the second Tuesday of every month, aka "Patch Tuesday" -- to release any updates, although exceptions occur when flaws are thought to be particularly dangerous or vulnerable to malicious code.

"While the attacks we saw were very limited, our decision to go out of band on this release was really around the risk in combination with the attacks," the company said of the early release on its Microsoft Security Response Center blog.

For more information on today's update, go here.

About the Author

Becky Nagel serves as vice president of AI for 1105 Media specializing in developing media, events and training for companies around AI and generative AI technology. She also regularly writes and reports on AI news, and is the founding editor of PureAI.com. She's the author of "ChatGPT Prompt 101 Guide for Business Users" and other popular AI resources with a real-world business perspective. She regularly speaks, writes and develops content around AI, generative AI and other business tech. Find her on X/Twitter @beckynagel.

Featured