We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft patches IE bug early

Can't wait until Patch Tuesday

With attackers finding new ways to exploit a critical flaw in Internet Explorer, Microsoft has released a patch for the problem, ahead of its next scheduled round of security updates.

The patch fixes a critical vulnerability in the way Internet Explorer renders VML (Vector Markup Language) graphics. Hackers had been exploiting the flaw, which also affects some versions of Outlook, for more than a week, and in recent days malicious activity had been on the upswing. More information on the update, which was released yesterday, can be found here.

The out-of-cycle release is unusual, but not unprecedented.

Microsoft generally releases its security updates on the second Tuesday of every month, giving system administrators a predictable way to set aside time to test the new software. Occasionally, the company will release patches ahead of time if a flaw is being widely exploited by attackers. In January it patched a critical flaw in the Microsoft WMF (Windows metafile) image-rendering engine after it became a widespread problem.

With attack code that works on the latest version of Windows XP now publicly available, the VML bug is shaping up as a very serious concern for administrators, said Ken Dunham, the director of Verisign's iDefense Rapid Response Team. VML attacks have now "dwarfed the WMF activity in the same period of time compared to last year", he said.

By yesterday, more than 3,000 websites were already infecting users with malware that exploited the VML bug, according to Dunham. One week into the WMF outbreak last January, iDefense saw about 600 sites exploiting the problem.

Security experts warn that there are many variants of the VML malware, some of which may be missed by security software. Researchers at iDefense are now looking at a dozen possible variations of the VML exploit code and have confirmed the existence of seven variants, Dunham said. "With WMF there wasn't nearly as much modification. We see a lot of different permutations and obfuscation techniques being utilise with VML attacks."

A group of security researchers released a patch for the VML flaw late last week, independent of Microsoft.

But criminals have even found a way to make patching seem dangerous.

In the past few days they have been circulating fake emails, claiming to be a patch for the VML problem. If downloaded, this 'patch' actually installs malicious software on the victim's system, Dunham said.

Microsoft's next regularly scheduled security updates will be released 10 October.


IDG UK Sites

The best iPhone 6 alternatives: Price and specs compared with the best smartphones

IDG UK Sites

The top 10 Apple products ranked by pixel density: Which Apple devices have the sharpest screens?

IDG UK Sites

SBTRKT's Look Away webcam-based interactive music video won't keep your gaze

IDG UK Sites

Retina MacBook Air release date rumours and specs: Gold 12in Retina MacBook Air almost 1cm thinner...