Microsoft Patches VML Vulnerability

Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.

Firefox not vulnerable because VML not supported?

[BadAnalogyGuy]

I had no idea what VML was, so I did a little digging and found the following links.

W3C's introduction to VML: http://www.w3.org/TR/NOTE-VML [w3.org]

Microsoft's brief introduction to VML: http://msdn.microsoft.com/workshop/author/vml/defa ult.asp [microsoft.com]

Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.

Maybe they should have tested it more...

[HaeMaker]

Installing the patch crashes svchost on my system.

Comment removed

[account_deleted]

Comment removed based on user account deletion

SVG not ignored by Firefox

[6031769]

SVG [mozilla.org] is not ignored by Firefox nor by Mozilla as a whole.

HTH

XP SP2 problems

[BenEnglishAtHome]

I work in a large organization that push-deployed the patch asap. The result is that any XP machine sitting at Service Pack 1 level for the OS can no longer be successfully updated to SP2 without first deleting a file (c:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll on our image). Then we can install SP2, then re-install the 0-day.

What a pain in the ass. Is everybody seeing the same trouble?

Some clarification.

[hullabalucination]

VML is a standard from almost a decade ago.

It isn't a standard, it was a submission to the W3C for consideration, by Microsoft and some of its useful idiots (HP, Macromedia, Autodesk, Visio). Submissions don't automagically get the thumbs up from the W3C. According to Wikipedia, Adobe, Sun and others submitted a proposal for a competing technology called PGML. Best features of the two technologies were then merged and improved upon to produce:

SVG: http://www.w3.org/TR/SVG10/ [w3.org]

SVG became a W3C recommendation on September 4, 2001. Later versions of Opera, Firefox and some other browsers implement at least limited support for SVG. It's also a standard vector graphics creation/exchange format for many open source graphic apps like Inkscape and Scribus. Adobe Illustrator and CorelDraw also support SVG fairly capably. Guess whose browser pointedly doesn't support SVG?

http://en.wikipedia.org/wiki/Vector_Markup_Languag e [wikipedia.org] Check out the code samples. The SVG code is quite a bit more compact than its VML equivalent.

Folks on SVG-rendering browsers (Firefox 1.5.x, Opera 8 and above) will possibly enjoy this little demonstration: http://isthis4real.com/orbit.xml [isthis4real.com]

* * * * *

It's a small world, but I wouldn't want to have to paint it.
—Stephen Wright