Microsoft has stepped out of their normal release schedule in order to make available a security patch to address a critical vulnerability in Internet Explorer. The vulnerability, which concerns the Vector Markup Language (VML) component of IE has been successfully exploited by malicious websites to install malware. Contrary to reports from SANS, Microsoft maintains that attacks based on this vulnerability are very limited in nature, but the company is nonetheless supplying the fix out with its normal patching cycle.
"This was an excellent move on the part of Microsoft, and we're pleased to see them respond to the concerns of the security community," Alex Eckelberry, president of anti-spyware toolmaker Sunbelt Software, said in an e-mail interview. Sunbelt had been monitoring attacks that exploit the flaw, which it said have been increasing.
First reported last week, the vulnerability stems from the Windows component called "vgx.dll", which is intended to support Vector Markup Language documents in the operating system. It has emerged that a flaw in this makes it possible for an attacker to exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution. Just days ago, an alternative patch was supplied by the Zeroday Emergency Response Team (ZERT) which also fixed this issue.