September 26, 2006 1:35 PM PDT

Microsoft rushes out 'critical' fix

By Joris Evers
Staff Writer, CNET News

Last modified: September 26, 2006 3:40 PM PDT

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Microsoft mulls early IE patch release
September 25, 2006; Porn sites exploit new IE flaw
September 19, 2006; Microsoft pushes out Windows patch ahead of time
January 5, 2006

update Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its scheduled release date.

The company is breaking with its monthly patch cycle to fix a flaw that cybercrooks have been using to attack Windows PCs via Internet Explorer. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or in an e-mail message.

"This was an excellent move on the part of Microsoft, and we're pleased to see them respond to the concerns of the security community," Alex Eckelberry, president of anti-spyware toolmaker Sunbelt Software, said in an e-mail interview. Sunbelt had been monitoring attacks that exploit the flaw, which it said have been increasing.

The vulnerability, first reported last week, lies in a Windows component called "vgx.dll." This component is meant to support Vector Markup Language documents in the operating system. VML is used for high-quality vector graphics on the Web and is used for viewing pages in the IE browser that is part of Windows. Microsoft deems the flaw "critical," its highest severity rating.

"An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message," Microsoft said in security bulletin MS06-055. E-mail messages that use HTML, or HyperText Markup Language, look like a Web page.

The vulnerability does not apply to IE 7, the upcoming version of IE that is available right now in a pre-release form, Microsoft said.

Microsoft typically releases fixes each second Tuesday of the month, which has become known as Patch Tuesday. The last time the software maker rushed out a fix was in January, when another image-related flaw in IE was being used to compromise Windows PCs through malicious Web sites.

Security experts had pushed Microsoft to rush out a fix for the VML flaw. A group of security professionals even crafted an unofficial fix for the problem, which was released on Friday.

"Exploitation has already eclipsed that of the last out-of-cycle patch," said Ken Dunham, director of the rapid response team at VeriSign's iDefense. "It appears that there were several million domains that were redirecting to malicious VML sites."

Microsoft's security update is being pushed out to Windows users via Automatic Updates and will also be available on Windows Update.

See more CNET content tagged:
Sunbelt Software, Windows PC, fix, flaw, Microsoft Internet Explorer

Add a Comment (Log in or register) 27 comments (Showing first 20 comments)

Windows source code: spaghetti with no logic.
by katamari September 26, 2006 2:24 PM PDT: > The vulnerability, first reported last week,
> lies in a Windows component called "vgx.dll."
> This component is meant to support Vector
> Markup Language documents in the operating
> system. VML is used for high-quality vector
> graphics on the Web and is used for viewing
> pages in the IE browser that is part of
> Windows.

Creeping featurism. Because Macromedia and Adobe Flash don't do any of that, right? Right.; Reply to this comment View reply
Processing

Avoid IE, better yet avoid MICROSOFT..!!!
by imacpwr September 26, 2006 3:04 PM PDT: IE is nothing more than a hackers dream come true (backdoor to
the core). You want internet security? Avoid using Internet Explorer,
better yet AVOID Microsoft all together..!!!!; Reply to this comment View all 4 replies
Processing

I use a Mac, but atleast
by SeaMoose77 September 26, 2006 3:28 PM PDT: but alteast Microsoft is on the ball and releasing patches.

Every company gets flaws, Apple included, so it's nice to see the
company that many people use get a quick patch.; Reply to this comment

Microsoft's Release Model:
by bob donut September 26, 2006 6:20 PM PDT: if (vulnerability_found
&& (nice_neat_day_for_release
|| press_writes_article ))
{
release_fix();
}
else
{
wide_open_vulnerability = 1;
}; Reply to this comment

I use a Mac, but this is a good thing
by NeverFade September 26, 2006 7:44 PM PDT: Any company that releases a patch for a venerability is a good
thing. Apple releases patches and so does MS.

People shouldn't always have to 'harp' on another person's
computer company if that company is trying to help their own
product for their consumers.; Reply to this comment

With all the remote control viruses out there.
by bigfeet123 September 26, 2006 7:54 PM PDT: Why can't I get easy to install and run remote control software??; Reply to this comment

Critical patches within 24 hours
by wbenton September 27, 2006 7:34 AM PDT: Something Microsoft has yet to learn.

Even though they broke again this time by releasing this Critical patch earlier... it's still FAR TOO LATE by most security concious company's standards!!!

Walt; Reply to this comment

So when will the other Patches go out ?
by kthor12 September 27, 2006 9:55 AM PDT: Microsoft should stop putting it's spyware program unto there updates !!

http://www.stateof-california.com; Reply to this comment

what is and isn't news
by thedreaming September 28, 2006 6:50 AM PDT: Microsoft patching a flaw isn't news. Microsoft patching a flaw ahead of schedule because everyone and their mother started screaming at them about it, that's still not news, but at least it shows that Microsoft is listening.; Reply to this comment

Slam Microsoft! (Don't bother reading the story.)
by Vegaman_Dan September 29, 2006 7:38 AM PDT: Sometimes I wonder why people even bother posting if all they are going to do is complain about Microsoft/Apple/Linux/Jello Pudding is evil and should be destroyed. Do they actually read the story or do they have a macros set to make anti-whatever posts regardless of what the story is about and just rant?

Even when MS does something good like make security patches available, people complain. Since they don't even have to do that much and could leave you all hanging in the wind, I think I wouldn't be complaining so loudly.

It's a case of being damned if you do, damned if you don't.; Reply to this comment View all 2 replies
Processing

See all 27 Comments >>

Latest tech news headlines

Facebook botnet risk revealed
Posted in News - Security by Elinor Mills

September 6, 2008 1:44 PM PDT
Security firm spots Chrome 'SaveAs' flaw
Posted in News - Security by Jonathan Skillings

September 6, 2008 11:33 AM PDT
At 10 years old, whither Google?
Posted in News - Digital Media by CBS Interactive staff

September 6, 2008 10:15 AM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Outside the Lines
EIC Squared: Chrome, iPods, and a Dell-Salesforce union
On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
At 10 years old, whither Google?
Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Webware
Mozilla releases second Firefox 3.1 alpha
Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.