Microsoft addresses VML threat with a critical security bulletin
Takeaway: Two weeks before its regularly scheduled Patch Tuesday, Microsoft released a security bulletin to address a critical VML vulnerability. John McCormick has the details in this edition of the IT Locksmith.
Breaking away from its traditional patch cycle, Redmond has released a critical security bulletin two weeks before October's Patch Tuesday. The update addresses the actively exploited Virtual Markup Language (VML) threat present in Internet Explorer.
Details
As regular readers of this column's discussions already know, Microsoft determined that the VML threat I discussed in the last issue was serious enough to require a rush patch release. On September 26—two weeks before its regularly scheduled Patch Tuesday—the software giant released a security bulletin to address the threat.
Considering that Microsoft took the extraordinary step of releasing this bulletin out of sequence, managers certainly need to pay attention to it. This threat's official name is VML Buffer Overrun Vulnerability, designated CVE-2006-4868.
Rated critical for most affected versions, Microsoft Security Bulletin MS06-055 affects Windows 2000 Service Pack 4, all versions of Windows XP, and all versions of Windows Server 2003. The only exception is Windows Server 2003 SP1, for which the VML vulnerability presents only a moderate threat.
For Windows 2000 SP4 running Internet Explorer 6 SP1, this bulletin replaces Microsoft Security Bulletin MS04-028. However, it doesn't replace any earlier bulletins for other affected platforms.
Note: The Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 will not properly report the need for this patch, but MBSA 2.0 will. The Enterprise Scanning Tool (EST) works for some OS versions, but not others. If you want to take a chance on EST, I suggest checking the security bulletin for more details.
Systems Management Server (SMS) 2.0 will properly report if this patch is required on all platforms, but SMS 2.0 only works correctly for some combinations of OS and EST. So, I don't recommend relying on it.
At a quick glance, the mitigating factors and workarounds listed by Microsoft in the security bulletin appear to be essentially unchanged from the ones discussed in the last edition of the IT Locksmith. Of course, if you haven't yet addressed this threat in your organization, you should look over the explanations in MS06-055 rather than the earlier information.
However, if you've already made changes to the way VML.dll works on your system (a Microsoft-approved workaround), you should probably undo these changes before installing the update.
Final word
Although I'm usually not a big fan of rushing to install a patch immediately, I've kept an eye on the discussion groups and haven't seen any significant reports of problems caused by the patch. Given that, and the fact that there are active attacks taking place using this vector, every manager should apply the patch. If you're too cautious to do so immediately, then at least apply the workarounds.
For those of you who are a bit new to all this, MITRE Corp. is responsible for creating CVE—which stands for Common Vulnerabilities and Exposures—designations. MITRE, a large but rather stealthy IT consulting firm that works mostly with U.S. government agencies, receives funding from the U.S. Department of Homeland Security.
The purpose of the CVEs is to provide a standardized name for IT threats, which helps alleviate the vast confusion caused by different companies giving different names to the same threat. Now, if only someone had the muscle to do this for malware!
Also watch for…
- Vista security is getting a very big push from Microsoft. Rumors are circulating that the company may push back the release of this OS even further if security problems crop up—and don't they always?—in what's probably the largest beta test program ever.
- Reports have surfaced that hackers are currently taking advantage of a new PowerPoint flaw. No patch is available, but Microsoft has released a security advisory about the issue, "Vulnerability in PowerPoint Could Allow Remote Code Execution."
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.
SponsoredWhite Papers, Webcasts, and Downloads
- Case Study: Clackamas County Oregon's Outdated Fibre Channel Infrastructure Runs Out of Capacity Dell EqualLogic
- Demo: Need Disk Space? IBM DB2 9 Compression Demo IBM
- Advances in Data Warehouse Performance: I/O Elimination in DB2 IBM
- Microsoft SQL Server 2005: Deployment and Tests in an iSCSI SAN Dell EqualLogic
- IBM pureXML for SOA: Unlocking the business value of information IBM
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
