Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Microsoft Patches VML Vulnerability 130

Uncle Rummy writes, "Microsoft has quietly released an official patch for the zero-day VML vulnerability. The patch was publicly available yesterday, But Microsoft has just added it to the Security Bulletin Index." Eight days from time of first report to patch is pretty fast for Microsoft, and is almost two weeks ahead of their normal patch schedule. This security flaw was being aggressively exploited out in the wild.
This discussion has been archived. No new comments can be posted.

Microsoft Patches VML Vulnerability

Comments Filter:
  • by jimstapleton ( 999106 ) on Wednesday September 27, 2006 @12:36PM (#16216067) Journal
    How did it affect DRM such that it encouraged MS to do this?
    • How did it affect DRM such that it encouraged MS to do this?

      Well just guessing but:

      A) These people who write these patches, and the people who work on the DRM and probably not the same.
      B) This probably has alot more code that needed to be changed then the DRM fix.
      • I am guessing he was being sarcastic. but hey.. maybe I am wrong.. wouldnt be the first time.
        • it was pure sarcasm, meant mostly in jest, related to the comments on the previous DRM patch
        • I know he might have been saying that sarcasticly, but there's alot of people on /. who think there is a conspiracy about MS putting the DRM before security patches.
      • More likely that the testing requirements for even a small change to something as complex and widespread as a web browser is enormous. Fixing a buffer overflow, especially when a repro case exists, isn't the hardest thing in the world. Making sure that the changes don't break anything else is quite a bit harder, especially with a product that's already entered its maintenance phase and most of the team has moved on to the next version.
        • The kicker though, there's been zero day exploits that weren't patched before Patch Tuesday anyway. I can fully understand the desire to test it as thoroughly as possible, so I'm not too concerned about the 8 day delay (given the quagmire of code they have to work with)

          What the surprise here is they DID release it early. This has happened only twice before, once with the Windows Meta File (back at the start of the year, http://www.informationweek.com/windows/showArticle .jhtml?articleID=175802202 [informationweek.com] ), which
  • by kf4lhp ( 461232 ) on Wednesday September 27, 2006 @12:36PM (#16216069) Homepage
    Now to see how long it takes my vendors to say "OK, you can safely apply this patch."
    • If your vendor is Cisco (Unity, etc) then I would estimate....six moinths.
    • A good move from Microsoft.I guess it's time to kill the Cyber criminals that are known to be using the bug to install keyloggers, adware and spyware and take over Windows PCs. Thank You Microsoft.
  • Not a bad turnaround (Score:2, Interesting)

    by dynemo ( 650078 )
    Sometimes, I feel like security researchers are intentionally disclosing their new vulnerability information as close to the "Patch Tuesday" as possible in an attempt to force Microsoft to release an out of cycle patch. This time they were successful.
    • by LurkerXXX ( 667952 ) on Wednesday September 27, 2006 @01:02PM (#16216483)
      Umm, here's a big clue for you...

      The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.

      That way they are more likely to have it expand for an entire month before MS patches it and messes up their fun.

      Security researchers generally want things secure. Virus/Worm writers don't.
      • The virus/worm writers are the ones releasing the exploit into the wild the day after patch Tuesday.

        I'm a little surprised they don't unleash their nasties on Monday, before Patch Tuesday. It isn't like Microsoft could make corrections that quickly.

      • by Bogtha ( 906264 )

        Security researchers generally want things secure.

        Disclosing vulnerabilities at the least convenient time for Microsoft accomplishes this - in the long run - by discouraging Microsoft from continuing their inane scheduling. If every security researcher published straight after Patch Tuesday, Microsoft would have no option but to give it up.

        • Re: (Score:3, Insightful)

          by LurkerXXX ( 667952 )
          I don't think the patch tuesday was a microsoft idea. The released individually as they finished the review process for years. I think they got feedback from their large corporate customers saying it would be much easier for their admins to only have to certify and install patches in regular batches, rather than haphazardly as each became available. So I think it's microsoft's large customer's inane scheduling idea. Microsoft just accomodated what their largest customers requested. Not that I think it
      • worm = a self-replicating computer program. It uses a network to send copies of itself to other systems and it may do so without any user intervention through the network.

        virus = a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user.

        patch = a small piece of software designed to update or fix problems with a computer program. This includes fixing bugs, replacing graphics and improving the usability or performance.

        exploit = a
  • by BadAnalogyGuy ( 945258 ) <BadAnalogyGuy@gmail.com> on Wednesday September 27, 2006 @12:38PM (#16216125)
    I had no idea what VML was, so I did a little digging and found the following links.

    W3C's introduction to VML: http://www.w3.org/TR/NOTE-VML [w3.org]

    Microsoft's brief introduction to VML: http://msdn.microsoft.com/workshop/author/vml/defa ult.asp [microsoft.com]

    Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.
    • Of course it didn't work in Firefox. MS is not interested in creating webpages that will work in other people's browsers.
      • VML is a standard from almost a decade ago. Firefox wasn't even on their radar in 1998.
        • Some clarification. (Score:5, Informative)

          by hullabalucination ( 886901 ) * on Wednesday September 27, 2006 @01:38PM (#16217023) Journal

          VML is a standard from almost a decade ago.

          It isn't a standard, it was a submission to the W3C for consideration, by Microsoft and some of its useful idiots (HP, Macromedia, Autodesk, Visio). Submissions don't automagically get the thumbs up from the W3C. According to Wikipedia, Adobe, Sun and others submitted a proposal for a competing technology called PGML. Best features of the two technologies were then merged and improved upon to produce:

          SVG: http://www.w3.org/TR/SVG10/ [w3.org]

          SVG became a W3C recommendation on September 4, 2001. Later versions of Opera, Firefox and some other browsers implement at least limited support for SVG. It's also a standard vector graphics creation/exchange format for many open source graphic apps like Inkscape and Scribus. Adobe Illustrator and CorelDraw also support SVG fairly capably. Guess whose browser pointedly doesn't support SVG?

          http://en.wikipedia.org/wiki/Vector_Markup_Languag e [wikipedia.org] Check out the code samples. The SVG code is quite a bit more compact than its VML equivalent.

          Folks on SVG-rendering browsers (Firefox 1.5.x, Opera 8 and above) will possibly enjoy this little demonstration: http://isthis4real.com/orbit.xml [isthis4real.com]

          * * * * *

          It's a small world, but I wouldn't want to have to paint it.
          —Stephen Wright

          • In my work, I created a SVG-based SCADA-like package. I had to build it to run in Adobe's SVG Viewer, because the native Firefox and Opera implementations couldn't run it. Note that I wrote the whole thing with the W3C docs in my hand, not with trial-and-error in the plugin.

            The Firefox implementation misses critical things (the viewbox has some problems) and it is very heavy and slow, compared to Adobe's implementation. The Adobe plugin works right in IE, crashes in Firefox under Windows. Firefox in Linux

            • but the implementations should get better, much better (think Flash-like performance and possibilities; it's all in the standard)

              I think Opera is way ahead of the Mozilla folks on the SVG implementation. That being said, I understand Firefox 2.x will implement SVG 1.1 stuff, like scripting. How well will it implement the new features? Pretty poorly at first, I'm sure. My needs are for basic multimedia implementations, like getting SVG to animate and sync with an audio file. Which is why I'm particularly

    • Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser.

      VML isn't a standard, it was rejected by the W3C.

      Given how Firefox ignores things like MNG and SVG, not surprised they didn't implement VML.
    • "Interestingly, the MS page includes a demo "oval with red background" which doesn't work in my Firefox browser

      Interesting enough the page layout is displayed correctly if Firefox changes User Agent ID to Internet Explorer 6. Under default Firefox ID it displays as a drap one page layout. Why does Microsoft mangle its own pages if viewed under a non MS browser.

      if ($browserid!=IEXP) { mangle.page(); else display.page(); }

      was: Firefox not vulnerable because VML not supported?
    • I also have not much understanding on VML but i know it is kind of buffer overflow.. result from my surfing, VML is a remote code execution vulnerability, exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could ta
  • by shoolz ( 752000 ) on Wednesday September 27, 2006 @12:41PM (#16216159) Homepage
    ...the unofficial patch [heise-security.co.uk] that was release by independant security specialits? A bit of a black eye for MS, no?
    • Probably not (Score:5, Insightful)

      by Sycraft-fu ( 314770 ) on Wednesday September 27, 2006 @01:04PM (#16216503)
      They release patches for critical, out in the wild, flaws as soon as they get them certified. You have to realise that they can't just release a patch right off, by their own policy and as a matter of practise. They have to go through a rather extensive certification procedure to make sure it won't cause computers to blow up. It's similar to patches you see for other OSes like Solaris. You'll hear of a bug and they'll be a patch out, but not one form Sun. That comes a bit later, after they've had time to test it.

      You might not agree with the policy but that's how it is, and there are reasons for doing it that way. People already whine about patches breaking systems when at present it's an extremely rare occurrence (in all the cases I've encountered, said system was spywared and that was the problem). If they rushed patches out without testing and they ended up breaking things, it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.

      We are dealing with non-technical users here, remember. A patch can't include a page of instructions of things you need to check first, nor can it be assumed that if it causes a problem the user can troubleshoot and fix it. It pretty much has to work straight off, and has to do so on literally tens of millions of permutations of software and hardware configurations.

      Personally I'd like to see a compromise where they'd release an unofficial, untested patch for power users as soon as they could and the full patch later after testing. However the likely problem would be the unofficial patch would get in the wild, people would tout it as the official MS patch, something would go wrong, and they'd get blamed anyhow.
      • by Feyr ( 449684 )
        / it could easily get to a state where people refused to patch because they were more scared of the patch than the problem.

        that's already the case, even if they HAVE improved in recent years. there's still the stigma associated with patches that seriously broke systems in nt4 and 2k

        the only reason i don't worry about patches breaking my (windows) systems is because they're not critical enough to warrant it just let the auto update do its job. my linux servers, on the other hand, get tested thoroughly before
    • A couple things about that.

      First, if users install a foreign version of VML.DLL via the Heise patch (I don't know the details of that patch), then they run the risk of flagging their software as "non-genuine" and may lose the ability to get further updates from WindowsUpdate. From Microsoft's point of view, they don't want the headache of dealing with these users who broke the genuineness of their software, so getting a patch out quickly to head it off at the pass is in their best interest.

      Second, if the He
  • by HaeMaker ( 221642 ) on Wednesday September 27, 2006 @12:52PM (#16216329) Homepage
    Installing the patch crashes svchost on my system.
    • Re: (Score:3, Funny)

      Back out that change, install Firefox, and go and sin no more.
    • by j79zlr ( 930600 )
      The installation failed on my work PC running Windows 2000. I checked the installation logs and manually editted the permissions on this registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\VGXUpdate Using regedt32.exe set full control to administrators and system users.
  • The Internet Explorer patch was released early because Microsoft was concerned of the critical risk to users. The vulnerability involves the way that the browser handles Vector Markup Language (VML) graphics. Malicious hackers can exploit the flaw by creating a Web page that can download spyware or keyloggers onto a user's system.
    • The Internet Explorer patch was released early because Microsoft was concerned of the critical risk to users.

      I see by your ID (over 1 million, congrats /.!) that you're new here. So we'll let this comment go with just a laugh. Microsoft... caring about... users... hahaha....
    • It's more likley that they found a way to use the exploit to bypass their DRM, which gives it more of a priority...
  • Good for them, doing the right thing here and all.

    It's kind of funny how the security bulleting reads "Vulnerability in Vector Markup Language Could Allow Remote Code Execution". We're not saying that it does, but we think it's possible.

    Gee. Ya think?
  • XP SP2 problems (Score:5, Informative)

    by BenEnglishAtHome ( 449670 ) * on Wednesday September 27, 2006 @01:11PM (#16216603)
    I work in a large organization that push-deployed the patch asap. The result is that any XP machine sitting at Service Pack 1 level for the OS can no longer be successfully updated to SP2 without first deleting a file (c:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll on our image). Then we can install SP2, then re-install the 0-day.

    What a pain in the ass. Is everybody seeing the same trouble?
    • Re: (Score:2, Interesting)

      Why oh why in the world do you still have machines at SP1?

      What's the name of your organization. I'd like to make sure I don't have any of your stock.
      • You don't have any stock in us [irs.gov].

        Why do we have any left at SP1? I could be flip and say it's because we relied on Tivoli to update them, but I won't go there. Basically, we updated about 100K machines and are hunting down the last few hundred, mostly laptops belonging to people who spend all their time in the field and try to never come into the office where they can be updated. (Among our old-timers, it's a real badge of honor to brag that they haven't been in the office in 6 months.) Internal politics

        • Nice to know that the IRS has the same Tivoli issues that we do at Bank of America :-)

          We *finally* got a GateKeeper system up and running on our VPN for AV and critical patches. Took an act of the CIO to get the traders to agree to this...

          Now please don't audit me :-)
          • Interestingly, we have two software distribution systems here. One is Tivoli. The higherups have spent millions and it's damn well gonna get used, whether it works or not.

            The other is a little program named M2 that runs at startup, checks a list in a specified directory, compares it to a local server, and applies anything available on the server that applies to your type of machine. You don't start work until it finishes. Works like a charm. Solid as a rock. Cost us nothing because it was written by o
    • Re: (Score:1, Interesting)

      by plague3106 ( 71849 )
      SP1 isn't supported anymore, so I don't know why you're still running it. At any rate, I would install SP2 before going off to install other patches anyway...
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Is everybody seeing the same trouble?

      The only trouble I am seeing is why it has taken you so long to put SP2 on [some of] your machines.
    • Why are you trying to update SP1 to SP2? If it's for new installations, you really should learn about Slipstreaming. It's really easy to do.

      In fact, here is a script that will not only splipstream in SP2, but all critical updates automatically:

      http://smithii.com/?q=node/12 [smithii.com]
    • I think your pain in the ass comes from the idiot who decided to wait this long to upgrade to Service Pack 2. I've despised Microsoft for a long time, but at least I have legitimate reasons for it. Bashing them for not releasing patches, and then bashing them for releasing patches just seems stupid to me. I suppose I'll get modded as a troll [slashdot.org] again, but lately that seems like a compliment here.
  • There was a 3rd party fix from Zeroday Emergency Response Team http://isotf.org/zert/ [isotf.org] (ZERT) available too and FAQ document written: http://www.securityfocus.com/bid/20096/references [securityfocus.com]

    FAQ document here: http://blogs.securiteam.com/?p=640 [securiteam.com]

  • by 140Mandak262Jamuna ( 970587 ) on Wednesday September 27, 2006 @01:14PM (#16216637) Journal
    MSFT fixes a bug. Then it fixes the patch. Patches the patch. So is that dead bug a good choice as an icon? Please change it to phoenix bird. It is supposed to die and come back alive from its ashes.
  • Thanks to these folks: http://isotf.org/zert/ [isotf.org]
  • For some reason this and 3 other "Critical" patches refuse to install on my system. I've been verified genuine and gone through the MS tech support hoops to no avail. The install always fails and gives me a generic error code. Here are the patches I need but cant get no matter what I do, if anyone knows a possible solution I wont complain.

    Security Update for Windows XP (KB917344)
    Cumulative Security Update for Internet Explorer for Windows XP (KB918899)
    Security Update for Windows XP (KB925486)
    • I just want to point out that ALL error codes on Windows are "generic". My computer switched into 640x480 with 8-bit color and it told me "there was an error" like it wasn't really obvious.

      I can't really help you though.

      So, MS takes "only" 8 days to release a patch, and Firefox gets patches out in a day...which seems better: having exploits running around for over a week being hacked at or having it fixed immediately?
    • by Dog-Cow ( 21281 )
      I went through MS tech support to get WU working on an XP machine, and I saved all the emails in the event that the problem came up again. Send a note to avi.slashdot@mail.ashevin.com and I'll be glad to share them with you.
  • ...they release their operating systems as quickly as they do their security patches. Eight days from the first report to a working patch? That's working fast!
  • yeah thanks to zert for stepping in with the fix. microsoft did not have "time" to release a patch. for what i understand microsoft only released the patch a few days after the third party patch appeared online. coincidence or what? with microsoft being reluctant to change their monthly update cycle. attackers have taken advantage of this. i cant understand why they are reluctant to do this. microsoft just let their users systems be vulnerable and unprotected for several weeks until the new patch is updated
  • Quietly? (Score:2, Insightful)

    by kitman420 ( 864936 )
    Why is it that every time a patch is announced nowadays, it's announced as "X quietly releases a patch"? What? do they need fanfare or something?
    • Quietly as in Microsoft apparently hasn't done any of the things they normally do when they release an offcycle patch, especially for a critical vulnerability with multiple known exploits in the wild and ample media coverage thereof.

      I haven't seen an email notification from Microsoft for this patch yet, and it still hasn't been listed in their Security Bulletin Index (and when I submitted the article, it said as much - for some bizarro reason kdawson decided to change it to the innacurate text stating th
  • I knew it! It's Vulnerable Markup Language!
  • Typical download size: 250 KB , less than 1 minute
    A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it.
    You can help protect your computer by installing this update from Microsoft.
    After you install this item, you may have to restart your computer.
    Check Windowsupdate [blogspot.com]
  • As we noticed a lot of cyber-criminals will be exploiting in any time..I've done some reseaching and interestingly I've found one alternative besides firewall, anti-virus and anti-spyware (which can't solve this problems ).. Do check it out.. http://www.explabs.com/ss/index.html [explabs.com] I think this one can really helps us!!
  • Although this the windows vulnerability, IE and outlook still affected because Internet Explorer and Outlook use the vulnerable library of Windows operating system (so-called VML component) when rendering Vector Markup Language graphics. But not all internet browser are affected because this vulnerability affects only to Internet Explorer. Additionally, other browsers using the rendering component of Internet Explorer, e.g. Avant Browser, are affected.Other Internet browsers, like Mozilla Firefox, Netscape
  • This patch should be released earlier.
  • When it comes to writing about Microsoft's security vulnerabilities, I never know what type of feedback to expect in the discussion. Sometimes the response is loud and clear: we know what we're doing, so we'll happily wait for the patch. Other times, it's the exact opposite: Microsoft better do something quick. And when it came to the Zeroday Emergency Response Team (ZERT) taking the initiative to repair Internet Explorer's Vector Markup Language (VML) vulnerability, I wasn't let down--the majority sentimen

"For a male and female to live continuously together is... biologically speaking, an extremely unnatural condition." -- Robert Briffault