Share via

Security Update for Windows Vulnerability in Vector Markup Language - Now Available

Hi folks, my name is Geoff and I am a Program Manager with the IE team focusing on security updates. On Tuesday, Windows released a security update for a vulnerability in the Windows component VML (vector markup language) that can result in remote code execution running on an affected system. Although this is not an IE vulnerability, we feel it is important to mention here, as IE can be used as an attack vector for the exploit. The VML team and MSRC have investigated the issue, produced a fix, and coordinated the release plan based on the comprehensiveness of the fix and the spread of exploits on the internet. As with all Microsoft critical updates, we encourage you to download the update immediately in order to protect your systems(s) from potential attacks. For the location of the update and further information on this vulnerability please see the following links:

· Microsoft Security Bulletin MS06-055
· MSRC Blog

I also want to mention that IE7 downlevel and IE7 on Vista ARE NOT affected by this vulnerability as a newer version of the control was released with IE7 Beta 2. With that said, I want to encourage you to please install the latest version of IE7 today or follow the links above to download the appropriate update to protect your systems.

Thank you for taking the time to read this post and have a great day!
-Geoff

Comments

  • Anonymous
    September 29, 2006
    There is a small bug with IE 7.0
    Should i report it to you?

  • Anonymous
    September 29, 2006
    I have the Internet Explorer RC-1 and it has short bugs yet while rendering objects width margins predefined. Where Can I send my codes and complete description about this problem?

    I know that i'm off toppic now, but I really wanto to see the new internet explorer improved and you can delete this post if it's necessary. My e-mail is dougsarr@hotmail.com

    Thank you!

  • Anonymous
    September 29, 2006
    Please report bugs or file suggestions through the Connect site. Thank you!

    http://connect.microsoft.com

  • Anonymous
    September 29, 2006
    Thanks for the confirmation that IE7 is not affected. Was hoping that was the case because Microsoft Update did not indicate I needed the patch. Out of curiousity, I manually downloaded the VML patch for XP SP2, extracted its contents and compared it to the current vgx.dll file installed on my system. The existing file date and time stamps matched up to the time IE7 RC1 was installed. Another reason to upgrade to IE7! Keep up the great work. Look forward to the final release. Any idea when? Oct? Nov? Thanks.

  • Anonymous
    September 29, 2006
    In iE the customize toolbar window is so poorly designed and the reset button is right under the close button and north-east from the main work area and that is just stupid i cannot tell you how many times i have accidentally reset my customization here can you please improve this disgusting and obscene design flaw now

  • Anonymous
    September 29, 2006
    @req -- I think they're using the standard Windows "Customize Toolbar" functionality (TB_CUSTOMIZE), so your complaint would best be directed at the Shell/Common Controls folks.  They just started a blog/forum at shellrevealed.com; you could post your comment there.

  • Anonymous
    September 29, 2006
    This just shows that Microsoft is ahead of everyone in the industry. World's best security record! As you'd expect from one of the world's wealthiest corporations. I can't remember the last time IE ever got infected!!!

  • Anonymous
    September 30, 2006
    >>> I also want to mention that IE7 downlevel
    >>> and IE7 on Vista ARE NOT affected by this
    >>> vulnerability

    If I were to un-install IE 7 on XP SP 2, would this mean my computer would become vulnerable, or would Windows still install this update incase of a roll-back to IE 6?

  • Anonymous
    September 30, 2006
    @jan0278 you can report the bug, but better spare your time and nerves

  • Anonymous
    September 30, 2006
    The comment has been removed

  • Anonymous
    September 30, 2006
    The comment has been removed

  • Anonymous
    September 30, 2006
    2003 is somewhat affected.

    Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

    The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View.


    ####################
    But the point is that there was huge security research which results was presented to MS for free. But they didn't lay a finger to protect their customers from inevitable future attacks.

  • Anonymous
    September 30, 2006
    "lay a finger" = "lift a finger" ....

  • Anonymous
    September 30, 2006
    I hear that you guys would like to innovate services that can outcompete Google.

    Here is one demo idea:
    http://www.frips.com/smarty.htm

    If such "smartly generated reports" were done right and made available on msn.com or live.com, perhaps they would command premium pricing for advertisers.

    Bud at frips.com

  • Anonymous
    September 30, 2006
    The comment has been removed

  • Anonymous
    September 30, 2006
    @Chris H: "If I were to un-install IE 7 on XP SP 2, would this mean my computer would become vulnerable, or would Windows still install this update incase of a roll-back to IE 6?"

    If you start off with IE6 unpatched, then you upgrade to IE7, and then uninstall IE7, you would be back at the state you were in before upgrading: unpatched.  Windows Update would then offer you the IE6 patch.

  • Anonymous
    September 30, 2006
    @FDutch

    the exploit doesn't work with IE7

  • Anonymous
    September 30, 2006
    @FDuch

    the webfolderview exploit doesn't work with IE7 i.e. IE7 is safe

  • Anonymous
    September 30, 2006
    It is sad that some 'expert' wants to create an exploit for he vunerabilities brings in himself to promote their importance/priority.
    Moore must be thinking he is the only one bringing in vunerabilities by creating his own exploits.
    He should better have thought of the many people he now exposes to malwaremakers.

  • Anonymous
    September 30, 2006
    The comment has been removed

  • Anonymous
    October 01, 2006
    >@hAl
    >You want even more security by obscurity?

    If a vunerability is known there is no reason for the security researcher to also create an exploit for it and openly present that to malware writers.
    That is just disgusting.

  • Anonymous
    October 01, 2006
    on an unrelated topic ...

    I installed IE7 RC1 and it's taken out my system information & Help Centre apps .. they are still there in their folders, but reinstalling them from the i386 folder has no effect .. and system restore doesnt bring them back either (nor does reverting to IE6)

    be grateful for some suggestions.

  • Anonymous
    October 01, 2006
    The comment has been removed

  • Anonymous
    October 01, 2006
    @Fduch: You're either ignorant, or lying, although I can't fathom to what end.

    Secure@microsoft.com investigates all security bug reports upon receipt.

  • Anonymous
    October 01, 2006
    The comment has been removed

  • Anonymous
    October 02, 2006
    The comment has been removed

  • Anonymous
    October 02, 2006
    "FireFox claims to have 0-1 day patches. This only applies to those downloading development builds." Thats just stupid, one thing is how long it takes to create, test and release a patch and another how long it takes the users to install it, 0-1 day its the time after the patch is released. "IE (every month) actually releases patches more often than FireFox (every 2 months recently)." Repeat that at loud, and now think, which product will you trust more? I think the IE Team is doing a great job (except for the JS engine), but come on, at least think before you speak.

  • Anonymous
    October 02, 2006
    The comment has been removed

  • Anonymous
    October 02, 2006
    Hi all, I'm sorry this post is off-topic, but I really need to submit bug around IE7. I visited Microsoft Connect, however, I can't find IE7 entry in the available connections list. Could anyone help? Thanks, James.

  • Anonymous
    October 02, 2006
    @James Here is a link to the IE7 support page that will help guide you through your feedback reporting options. Thank you for taking the time to report your bug to the IE Team. http://www.microsoft.com/windows/ie/support/default.mspx

  • Anonymous
    October 02, 2006
    2 Annoying Bugs: Does anyone else have the issue with RC1 where when you are in the favorite center and you right click a folder and click "sort by name" nothing happens and the favorites remain out of order? Also, if you are in a standard folder (such as "My Documents") and go the favorites on the top menu, whatever link you open opens TWICE.

  • Anonymous
    October 02, 2006
    @Fduch -- "But then why isn't IE7 affected?" ActiveX Opt-in.  I went to H.D. Moore's repro page, and it causes the gold bar to appear and ask me if I want to run the ActiveX control. For the majority of users, this will stop these type of exploits in their tracks.  However, there are always those users that will ignore the risk and go through the 2+ click process to see the "dancing bunnies."

  • Anonymous
    October 02, 2006
    I have a hunch that IE7 final will be released this month along with the OCTOBER SECURITY UPDATES! =)

  • Anonymous
    October 03, 2006
    The ActiveX opt-in is a good thing but how do I reset my preferences once I had accepted one? @ IE Marketing team In regards to PR I would recommend to clearly state in any MS advisory or press release whether IE7 is affected or not.

  • Anonymous
    October 03, 2006
    The comment has been removed

  • Anonymous
    October 03, 2006
    The comment has been removed

  • Anonymous
    October 03, 2006
    The comment has been removed

  • Anonymous
    October 03, 2006
    @fduch I develop/design software. Waiting a months means nothing to me. We on average solve software bugs in about half a years time. We could possibly do it a lot faster but we generally consider the needs of the users and ot just from the testers that found the bugs.

  • Anonymous
    October 03, 2006
    A question for the IE team. Will the build 5743 of Vista that is the friday RC2 release contain a newer version of IE7 ?

  • Anonymous
    October 03, 2006
    Fduch, the general topics of your posts do not seem very positive towards Microsoft. @Kim Calhoun "For one thing, not any of the search places I use on a daily basis is on the list to set for default. Why do I have to be forced into using a website that I don't want to use?" That is why you can add search providers, by yourself or through other people. "The new design features all seem to be big oversized blocks of uselessness." Do you have a 14"/15" screen? If so, I'd recommend you to update. That might have been the standard in 1995 but this is 2006 and people use 19", at least 17". I can't think of any other reason why you would complain about the design's size, because it is not "big" and "obtrusive". Unless of course you are here just to complain because it is cool.

  • Anonymous
    October 03, 2006
    The comment has been removed

  • Anonymous
    October 03, 2006
    @hAl: Each new build of Vista contains the then-latest build of IE.

  • Anonymous
    October 03, 2006
    @jmzl666 "I agree with that, but your last post was comparing apples to oranges, one thing is the time used to release the patch and another the time frame needed to install the patch in the user base, Firefox average I day to release the patch,  Microsoft one month (for what ever reason you like), that is the way is going to be always, the Firefox team does not have to worry about breaking another app or even the OS." I apologize if I confused you about what I meant. I was trying to compare the time between updates to the browser without requiring action. FireFox currently cannot break any outside applications. But, they do regularly break extensions which is a seperate problem though. "You are forgetting one thing, Firefox also has an auto update feature, and in general Firefox users are more savvy than IE users, but lets assume that bot user base are equally savvy, why do you assume that IE is updated faster than Firefox?, where are the numbers that show that  IE is patched in a month or two and Firefox in 4?, I don't have any problems with IE users or fans, but at least show some data that prove you right." I said that IE is every month, while FireFox is every 2 months. If you look at the last few automatic updates to FireFox you'll see there is on average 1.5-2 months in between them. 1.5.0.1 February 1 1.5.0.2 April 13 1.5.0.3 May 2 1.5.0.4 June 1 1.5.0.5 July 27 1.5.0.6 August 2 1.5.0.7 September 14 The following link suggests that a new release contains fixes for more than 1 issue: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox So who decides when it is released? What is the criteria, where do they talk about it? This is why I said "as it gets done" type release schedule. Though I suppose the proper stereotype would be "it's done when we say it is done". Remember, I'm not talking about when a patch is available, but when the automatic update containing the patch is released, as that is what the largest part of the userbase will be part of.

  • Anonymous
    October 03, 2006
    PingBack from http://www.aesjkt.com/wp/?p=3816

  • Anonymous
    October 03, 2006
    Please, Microsoft, release IE7 with the comming patch day. Vista will be Gold later this month so IE 7 is probably finished by now. If it's not finished now, please release it with November patch day. Some of the latest vulnerabilities didn't affect IE7 so it's safer than IE6. Millions of customers could benefit from a fast release.

  • Anonymous
    October 03, 2006
    @BigAl I would hope they do not decide to release IE7 as a patch on patchday. I hope they will do a phased upgrade cycle where they will start to upgrade relativly smaller groups of people first just in case there are unforseen difficulties with the upgrading proces. I asume there might still be some troublesome old add-ons around for instance that could cause havoc amongs upgraders. Then they should slowly upgrade the rest of the windows XP population. All in all I think taking a month or more to do the upgrades for all XP versions wouldný be so bad.

  • Anonymous
    October 04, 2006
    @hAl Nice idea. If they would provide IE7 for download in mid October and via automatic update in November, that would make roll-out smoother and give more time to fix issues that may arise. After all I think it should be released to public at november patch day at the latest. If it's in december the issues may appear just in the peak xmas business season. So if it's november there is more time to fix problems. I don't think there will be so many problems with IE7. Just like the year 2000 hipe. In the end everything worked much better than expected.

  • Anonymous
    October 04, 2006
    I just hope that most users will accept the update and review it with an open mind. Not discard it because it is different. At least people seem to be embracing Office 2007. If that can be different and do good, hopefully IE7 can too.

  • Anonymous
    March 13, 2007
    PingBack from http://winblogs.security-feed.com/2006/09/29/security-update-for-windows-vulnerability-in-vector-markup-language-now-available/