VML Exploit Patched by Microsoft

Microsoft noted on their blog that they might release the patch to fix the VML exploit early, if it met all the tests and requirments, so apparently, it already has. Thanks Sunbeltblog.

A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Check Windows Update to get it.

Added: Just saw this post from a technet blog, “OUT OF BAND” Security Bulletin has been released – Microsoft Security Bulletin MS06-055,

On Tuesday September 26th 2006, the Microsoft Security Response Center (MSRC) released one (1) new Security Bulletin. This Security Bulletin Release is in addition to our regularly scheduled monthly security bulletin release for September 2006. A release of this type is often referred to as ?Out of Band?.

A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

And this post from the Microsoft Security Response Center Blog,

Hey everyone, Craig Gehre here. We’re in the process of releasing out of band update MS06-055 to address the VML issue. At the moment, Windows Update, Microsoft Update, and Autoupdate are live. We’re in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST, and MBSA 2.0 to the Microsoft download center and normal locations and those should be up shortly. Until that time the links might not work in the bulletin until the packages appear on the download center. The WSUSscan.cab for SMS and MBSA 2.0 users is also in process and will be published soon. We?ll provide a follow-on blog post shortly once we get everything up.

We’re also re-releasing MS06-049 for Windows 2000 users and will have that information up shortly as well.

Anyway, finally, I know they want to test this stuff thoroughly, but sometimes you just gotta rush stuff, especially when you have unsuspecting users on the line.