Patch/Configuration Management, Vulnerability Management

Microsoft considers early patch for VML flaw, now exploited through various vectors

Microsoft's zero-day vector markup language (VML) vulnerability now is being actively exploited through a number of distinct vectors, including e-cards, the SANS Internet Storm Center said late Monday.

In response to the severity and widespread nature of the attacks, Microsoft is considering releasing an early patch for the bug, a company spokesman said yesterday.

Attacks conducted via Visa phishing schemes and CoolWebSearch, a spyware program, have exploited the flaw, caused by an error in which Internet Explorer processes vector markup language, a component of extensible markup language (XML) used to produce vector graphics.

Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said the bug has been exploited on some 1,800 servers. Up to three million websites contain iFrame links that redirect users to sites hosting exploit, he said.

"(We have) confirmed successful attacks within 45 large networks and over 10,000 consumer infections on one large network alone," Dunham said in an email late Monday.

Published exploit code began appearing Monday, Dunham said.

The million-dollar question is when Microsoft will patch the vulnerability. Right now, a third-party fix, released earlier this week from the newly formed Zeroday Emergency Response Team (ZERT) is available.

"While attacks using this vulnerability remain limited, our work on an update progresses," a Microsoft spokesman said Monday. "As noted in the (Microsoft Security Response Center) blog entry from Friday, we are working through our engineering process, with a focus on quality, to try and release this update ahead of our monthly cycle (Oct. 10)."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.