Posted on 09/26/2006 3:54:43 PM PDT by Eagle9
Microsoft on Tuesday broke with its regular security update schedule for only the second time this year to issue a patch for a critical Internet Explorer vulnerability that's been exploited for more than a week.
MS06-055 provides a fix for the flaw in IE 5.01 and IE 6.0, Microsoft said in the accompany bulletin, and should be applied immediately. The Redmond, Wash. developer pegged the bug as "Critical," its most dire warning, for editions of IE running on Windows 2000, Windows XP, and Windows Server 2003 machines. Windows Server 2003 SP1 is at slightly less risk.
"An attacker who successfully exploited this vulnerability could take complete control of an affected system," the bulletin read. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
The vulnerability exists in IE's rendering of Vector Markup Language (VML) code, an extension of XML that defines Web images in vector graphics format. First reported last Tuesday by Sunbelt Software, the vulnerability was quickly leveraged by attackers to plant large quantities of adware, spyware, and other malware on attacked PCs. Within days, a working exploit had been added to WebAttacker, a Russian-created "kit" sold to hackers.
Although Microsoft indicated last week that it might issue a patch before Oct. 10, it gave no warning Tuesday that it would release a fix. MS06-055 is only the second 2006 update to debut outside the normal second-Tuesday-of-the-month schedule; the first was a fix issued Jan. 5 to quash a widely-exploited bug in the Windows Metafile image format.
One possible fly in the update ointment: Microsoft warned users that users who had earlier applied a Microsoft-sanctioned workaround -- one of the few sanctioned defensive measures available while the company worked on a fix -- might not be able to install the Tuesday patch.
"If the workaround 'Modify the Access Control List on Vgx.dll to be more restrictive' has been applied, the security updates provided with this security bulletin may not install correctly," Microsoft said. It told users they should first reverse the workaround by re-registering the Vgx.dll.
In a side note on its blog, the Microsoft Security Response Team also said that the MS06-049 update originally issued Sept. 8 would be re-released Tuesday.
Thanks for the info. I downloaded it.
Must be what downloaded today with the critical warning.
same here, along with a windows Defender update.
I have mine setup to just notify me, IT DOESN"T DOWNLOAD ANYTHING... After it alerted me I went to windows update and installed the 2 updates(one was for windows Defender, the other must have been for this)
I've been running IE7 for a while so I never had to worry about this bug.
Bookmark
One possible fly in the update ointment: Microsoft warned users that users who had earlier applied a Microsoft-sanctioned workaround -- one of the few sanctioned defensive measures available while the company worked on a fix -- might not be able to install the Tuesday patch.
"If the workaround 'Modify the Access Control List on Vgx.dll to be more restrictive' has been applied, the security updates provided with this security bulletin may not install correctly," Microsoft said. It told users they should first reverse the workaround by re-registering the Vgx.dll.
To reverse workaround:Click Start, choose Run, and then type
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll
Do yourself a favor and get off of IE.
Click Start, choose Run, and then type
Format C:
}:-|
bump
The same day that Microsoft Corp. went out-of-cycle to issue a fix for a critical flaw in Internet Explorer, it also re-released a security update that had corrupted data on some users' PCs. It was the third patch from August's batch that has had to be re-issued.
Versi0n 2.0 of MS06-049, "Vulnerability in Windows Kernel Could Result in Elevation of Privilege," was posted Tuesday in response to warnings earlier this month from Microsoft that the Aug. 8 edition could ruin files on NTFS formatted drives when the PC used Windows' own compression schemes.
Then, Microsoft said while it had created a hotfix, customers had to contact the support desk to obtain a copy. The revised MS06-049 released Tuesday rolled that hotfix into the older update.
Microsoft has recently had to regularly re-issue patches, occasionally multiple times, to fix newly introduced bugs or overlooked flaws. Two weeks ago, it released an August update for Internet Explorer, MS06-042, for the third time. The same day, the Redmond, Wash.-based developer also re-released MS06-040, another August update.
Not really because I initiated it from the start when I set up the computer and control the access through the router and firewall. Only sources I trust get that privilege.
I haven't had a problem with it so far.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.