Version: 2008
  • On UrbanBaby: I won't vaccinate my daughter!

September 26, 2006 1:35 PM PDT

Microsoft rushes out 'critical' fix

  • 27 comments
Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its scheduled release date.

The company is breaking with its monthly patch cycle to fix a flaw that cybercrooks have been using to attack Windows PCs via Internet Explorer. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or in an e-mail message.

"This was an excellent move on the part of Microsoft, and we're pleased to see them respond to the concerns of the security community," Alex Eckelberry, president of anti-spyware toolmaker Sunbelt Software, said in an e-mail interview. Sunbelt had been monitoring attacks that exploit the flaw, which it said have been increasing.

The vulnerability, first reported last week, lies in a Windows component called "vgx.dll." This component is meant to support Vector Markup Language documents in the operating system. VML is used for high-quality vector graphics on the Web and is used for viewing pages in the IE browser that is part of Windows. Microsoft deems the flaw "critical," its highest severity rating.

"An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message," Microsoft said in security bulletin MS06-055. E-mail messages that use HTML, or HyperText Markup Language, look like a Web page.

The vulnerability does not apply to IE 7, the upcoming version of IE that is available right now in a pre-release form, Microsoft said.

Microsoft typically releases fixes each second Tuesday of the month, which has become known as Patch Tuesday. The last time the software maker rushed out a fix was in January, when another image-related flaw in IE was being used to compromise Windows PCs through malicious Web sites.

Security experts had pushed Microsoft to rush out a fix for the VML flaw. A group of security professionals even crafted an unofficial fix for the problem, which was released on Friday.

"Exploitation has already eclipsed that of the last out-of-cycle patch," said Ken Dunham, director of the rapid response team at VeriSign's iDefense. "It appears that there were several million domains that were redirecting to malicious VML sites."

Microsoft's security update is being pushed out to Windows users via Automatic Updates and will also be available on Windows Update.

See more CNET content tagged:
Windows PC, Sunbelt Software, flaw, malicious software, fix

Add a Comment (Log in or register) (27 Comments)
  • prev
  • 1
  • next
Windows source code: spaghetti with no logic.
by katamari September 26, 2006 2:24 PM PDT
> The vulnerability, first reported last week,
> lies in a Windows component called "vgx.dll."
> This component is meant to support Vector
> Markup Language documents in the operating
> system. VML is used for high-quality vector
> graphics on the Web and is used for viewing
> pages in the IE browser that is part of
> Windows.

Creeping featurism. Because Macromedia and Adobe Flash don't do any of that, right? Right.
Reply to this comment
And have you seen the source?
by foo_man September 26, 2006 4:06 PM PDT
I don't like IE either, but I doubt you've seen Windows source code. Cupholders are scope creep on cars, right? Just playing devil's advocate.
View reply
Avoid IE, better yet avoid MICROSOFT..!!!
by imacpwr September 26, 2006 3:04 PM PDT
IE is nothing more than a hackers dream come true (backdoor to
the core). You want internet security? Avoid using Internet Explorer,
better yet AVOID Microsoft all together..!!!!
Reply to this comment
WE'RE AGREED ON THAT!
by Morty 101 September 26, 2006 4:17 PM PDT
I couldn't agree more! Everything MS does is either, overpriced, garbage or both!
My browser is Firefox (far superior to IE), my Office suite is Openoffice2 (much more versalite than MS Office).
If I was braver I'd try Linux (probably Suse) but until then I'll stick with Windows 2K. XP did nothing but crash on me, and I've heard that Vsta is terrible!
WE'RE AGREED ON THAT!
by Morty 101 September 26, 2006 4:17 PM PDT
I couldn't agree more! Everything MS does is either, overpriced, garbage or both!
My browser is Firefox (far superior to IE), my Office suite is Openoffice2 (much more versalite than MS Office).
If I was braver I'd try Linux (probably Suse) but until then I'll stick with Windows 2K. XP did nothing but crash on me, and I've heard that Vsta is terrible!
View all 3 replies
little common sence
by elliottfire September 26, 2006 5:29 PM PDT
avoid microsoft come on be better to be helpfull instead of bashing if u dont like microsoft thats cool thats your opinion i don't think this was a do you like microsoft question to start with , eh
In two
by paulsecic September 27, 2006 10:39 AM PDT
months I'm leaving Bugtown for Apple.
View reply
I use a Mac, but atleast
by SeaMoose77 September 26, 2006 3:28 PM PDT
but alteast Microsoft is on the ball and releasing patches.

Every company gets flaws, Apple included, so it's nice to see the
company that many people use get a quick patch.
Reply to this comment
Microsoft's Release Model:
by bob donut September 26, 2006 6:20 PM PDT
if (vulnerability_found
&& (nice_neat_day_for_release
|| press_writes_article ))
{
release_fix();
}
else
{
wide_open_vulnerability = 1;
}
Reply to this comment
I use a Mac, but this is a good thing
by NeverFade September 26, 2006 7:44 PM PDT
Any company that releases a patch for a venerability is a good
thing. Apple releases patches and so does MS.

People shouldn't always have to 'harp' on another person's
computer company if that company is trying to help their own
product for their consumers.
Reply to this comment
With all the remote control viruses out there.
by bigfeet123 September 26, 2006 7:54 PM PDT
Why can't I get easy to install and run remote control software??
Reply to this comment
Critical patches within 24 hours
by wbenton September 27, 2006 7:34 AM PDT
Something Microsoft has yet to learn.

Even though they broke again this time by releasing this Critical patch earlier... it's still FAR TOO LATE by most security concious company's standards!!!

Walt
Reply to this comment
So when will the other Patches go out ?
by kthor12 September 27, 2006 9:55 AM PDT
Microsoft should stop putting it's spyware program unto there updates !!







http://www.stateof-california.com
Reply to this comment
what is and isn't news
by thedreaming September 28, 2006 6:50 AM PDT
Microsoft patching a flaw isn't news. Microsoft patching a flaw ahead of schedule because everyone and their mother started screaming at them about it, that's still not news, but at least it shows that Microsoft is listening.
Reply to this comment
Slam Microsoft! (Don't bother reading the story.)
by Vegaman_Dan September 29, 2006 7:38 AM PDT
Sometimes I wonder why people even bother posting if all they are going to do is complain about Microsoft/Apple/Linux/Jello Pudding is evil and should be destroyed. Do they actually read the story or do they have a macros set to make anti-whatever posts regardless of what the story is about and just rant?

Even when MS does something good like make security patches available, people complain. Since they don't even have to do that much and could leave you all hanging in the wind, I think I wouldn't be complaining so loudly.

It's a case of being damned if you do, damned if you don't.
Reply to this comment
I wonder why you wonder!
by VidPro September 29, 2006 12:28 PM PDT
"Even when MS does something good like make security patches
available, people complain."

There are two well known reasons why people complain, and
Microsoft making security patches available is NOT one of them.

They complain because Windows was never meant to be a secure
operating system, and now that MS has finally learned that
security is a good thing, they are trying to patch their system as
they find flaws, rather than starting from scratch, which would
be the only way to do it right. Vista will be an improvement, but
still not secure enough. (Else why Windows Defender and the
other anti-malware products?)

The other reason is that although MS does patch the operating
system and other programs such as Internet Explorer, they
found the constant parade of patches so embarrassing that they
started to roll all the patches into a monthly event. Even on the
rare occasion when they realize that they can't wait that long,
they don't react soon enough since they only patch out of turn
when shamed into it by already exploited vulnerabilities.
It is not that they patch
by qwerty75 September 29, 2006 12:50 PM PDT
Is that they patch slower then others by several orders of magnitudes and those patches are often ill-tested and break something or introduce new flaws.

Compare IE vs Firefox. Firefox releases a fix within days(sometimes hours), well before any possible exploits, and is done right. IE sometimes takes months, but almost always patches after exploits and their patches are extremely flawed.

Not to mention the fact that no MS products were built with security in mind.

See the difference and the reason for complaints now?
(27 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (0.17%) 0.05 29.83
Dow Jones Industrials (-0.83%) -86.53 10,366.15
S&P 500 (-0.84%) -9.32 1,099.92
NASDAQ (-0.54%) -11.89 2,173.14
CNET TECH (-0.06%) -0.95 1,592.69
  Symbol Lookup
advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right