Security Update for Windows Vulnerability in Vector Markup Language – Now Available


Hi folks, my name is Geoff and I am a Program Manager with the IE team focusing on security updates. On Tuesday, Windows released a security update for a vulnerability in the Windows component VML (vector markup language) that can result in remote code execution running on an affected system. Although this is not an IE vulnerability, we feel it is important to mention here, as IE can be used as an attack vector for the exploit. The VML team and MSRC have investigated the issue, produced a fix, and coordinated the release plan based on the comprehensiveness of the fix and the spread of exploits on the internet. As with all Microsoft critical updates, we encourage you to download the update immediately in order to protect your systems(s) from potential attacks. For the location of the update and further information on this vulnerability please see the following links:

· Microsoft Security Bulletin MS06-055
· MSRC Blog

I also want to mention that IE7 downlevel and IE7 on Vista ARE NOT affected by this vulnerability as a newer version of the control was released with IE7 Beta 2. With that said, I want to encourage you to please install the latest version of IE7 today or follow the links above to download the appropriate update to protect your systems.

Thank you for taking the time to read this post and have a great day!
-Geoff

Comments (49)

  1. jan0278 says:

    There is a small bug with IE 7.0

    Should i report it to you?

  2. I have the Internet Explorer RC-1 and it has short bugs yet while rendering objects width margins predefined. Where Can I send my codes and complete description about this problem?

    I know that i’m off toppic now, but I really wanto to see the new internet explorer improved and you can delete this post if it’s necessary. My e-mail is dougsarr@hotmail.com

    Thank you!

  3. ieblog says:

    Please report bugs or file suggestions through the Connect site. Thank you!

    http://connect.microsoft.com

  4. TJ says:

    Thanks for the confirmation that IE7 is not affected. Was hoping that was the case because Microsoft Update did not indicate I needed the patch. Out of curiousity, I manually downloaded the VML patch for XP SP2, extracted its contents and compared it to the current vgx.dll file installed on my system. The existing file date and time stamps matched up to the time IE7 RC1 was installed. Another reason to upgrade to IE7! Keep up the great work. Look forward to the final release. Any idea when? Oct? Nov? Thanks.

  5. req says:

    In iE the customize toolbar window is so poorly designed and the reset button is right under the close button and north-east from the main work area and that is just stupid i cannot tell you how many times i have accidentally reset my customization here can you please improve this disgusting and obscene design flaw now

  6. PatriotB says:

    @req — I think they’re using the standard Windows "Customize Toolbar" functionality (TB_CUSTOMIZE), so your complaint would best be directed at the Shell/Common Controls folks.  They just started a blog/forum at shellrevealed.com; you could post your comment there.

  7. goose says:

    This just shows that Microsoft is ahead of everyone in the industry. World’s best security record! As you’d expect from one of the world’s wealthiest corporations. I can’t remember the last time IE ever got infected!!!

  8. Chris H says:

    >>> I also want to mention that IE7 downlevel

    >>> and IE7 on Vista ARE NOT affected by this

    >>> vulnerability

    If I were to un-install IE 7 on XP SP 2, would this mean my computer would become vulnerable, or would Windows still install this update incase of a roll-back to IE 6?

  9. Fduch says:

    @jan0278 you can report the bug, but better spare your time and nerves

  10. Fduch says:

    Speaking of IE vulnerabilities:

    Microsoft has confirmed a new, unpatched vulnerability in Internet Explorer, and promised to fix the problem with an update on Oct. 10. In a security advisory posted on its support site, Microsoft admitted that an ActiveX control — WebViewFolderIcon, also called "Web View" — exposes a vulnerability in the Windows Shell that can be exploited by attackers to hijack PCs.

    The likely attack vector, said Microsoft, would be the now-standard malicious Web site; victims would have to be drawn to the site with e-mailed or IMed lures, or surf to it on their own to be attacked. All currently-support editions of Windows are at risk, including Windows 2000, XP (SP1 and SP2), and Windows Server.

    Thursday, security vendors and organizations, including Symantec and US-CERT, warned that exploit code had been released.

    #########################

    The bug was originally reported in July as part of HD Moore’s "Month of Browser Bugs" project where he identified dozens of flaws in IE and other Web browsers. The vast majority of those vulnerabilities remain unpatched.

    #########################

    As I said. They don’t look at bugs until the malware using the exploit is **IN THE WILD**. Just having ProofOfConcept exploit is not enough.

  11. random_n says:

    The customize toolbar box is only horrible until you realize that you can drag and drop things easily.

    As for the new exploit, it only says "supported versions of Windows", which kinda may-or-may-not include XP/2003 with IE7. So, is Internet Explorer 7 affected by this new vulnerability?

  12. Fduch says:

    2003 is somewhat affected.

    Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

    The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View.

    ####################

    But the point is that there was huge security research which results was presented to MS for free. But they didn’t lay a finger to protect their customers from inevitable future attacks.

  13. Fduch says:

    "lay a finger" = "lift a finger" ….

  14. Bud Labitan says:

    I hear that you guys would like to innovate services that can outcompete Google.

    Here is one demo idea:

    http://www.frips.com/smarty.htm

    If such "smartly generated reports" were done right and made available on msn.com or live.com, perhaps they would command premium pricing for advertisers.

    Bud at frips.com

  15. PatriotB says:

    @Fduch — "Microsoft has confirmed a new, unpatched vulnerability in Internet Explorer"  — that is a false sentence.  The vulnerability is not in IE, it is in the shell component WebViewFolderIcon.  It can be exposed via IE, but so can, say, vulnerabilities in Flash, so does that make a Flash bug an IE bug?

    WebViewFolderIcon is used by Windows 2000 (and 98/Me) in the web view in order to display folder icons.  It’s not used by the OS in XP/2003, so I’m wondering why it wasn’t removed when those OSes were released…

  16. PatriotB says:

    @Chris H: "If I were to un-install IE 7 on XP SP 2, would this mean my computer would become vulnerable, or would Windows still install this update incase of a roll-back to IE 6?"

    If you start off with IE6 unpatched, then you upgrade to IE7, and then uninstall IE7, you would be back at the state you were in before upgrading: unpatched.  Windows Update would then offer you the IE6 patch.

  17. Luc says:

    @FDutch

    the exploit doesn’t work with IE7

  18. Luc says:

    @FDuch

    the webfolderview exploit doesn’t work with IE7 i.e. IE7 is safe

  19. hAl says:

    It is sad that some ‘expert’ wants to create an exploit for he vunerabilities brings in himself to promote their importance/priority.

    Moore must be thinking he is the only one bringing in vunerabilities by creating his own exploits.

    He should better have thought of the many people he now exposes to malwaremakers.

  20. Fduch says:

    @PatriotB

    I agree that it’s not IE vulnerability.

    But then why isn’t IE7 affected?

    @Luc

    It’s good that IE7 is no vulnarable.

    @hAl

    You want even more security by obscurity?

    So you are with MS in "While there is no malware epidemy using the hole we’ll do nothing"?

    >"It is sad that some ‘expert’ wants to create an exploit for he vunerabilities brings in himself to promote their importance/priority."

    Wrong!

    "It is sad that experts ##MUST## create an exploit for vunerabilities to promote their importance/priority."

    >"He should better have thought of the many people he now exposes to malwaremakers."

    ????

    It’s MS who exposed people to malware. And it refuses to protect them.

    You can dislike that guy, but you MUST cooperate with him and others to protect customers.

    What if he told you he knows about terrorist attack being prepared? You’d say "We don’t like the guy. We won’t listen to him.". Just like the situation before Hurricane Katrina.

  21. hAl says:

    >@hAl

    >You want even more security by obscurity?

    If a vunerability is known there is no reason for the security researcher to also create an exploit for it and openly present that to malware writers.

    That is just disgusting.

  22. Owl says:

    on an unrelated topic …

    I installed IE7 RC1 and it’s taken out my system information & Help Centre apps .. they are still there in their folders, but reinstalling them from the i386 folder has no effect .. and system restore doesnt bring them back either (nor does reverting to IE6)

    be grateful for some suggestions.

  23. Fduch says:

    @hAl

    >If a vunerability is known there is no reason for the security researcher to also create an exploit for it and openly present that to malware writers.

    Why do you think that he released the exploit to the public?

    As I said a security researcher that found security hole often MUST create/find exploit to make MS even look at the bug. What I learned form some MS letters is that

    ********

    Having remote execution proof of concept exploit is not enough to make MS look at the bug.

    ********

    I saw MS demanding it to be "in the wild"

    @Vilius

    What are you doing here? Wacth MTV, eat hot-dog, admire Bush, don’t think, be happy.

  24. Ted says:

    @Fduch: You’re either ignorant, or lying, although I can’t fathom to what end.

    Secure@microsoft.com investigates all security bug reports upon receipt.

  25. hAl says:

    @Fduch

    I must agree with Ted.

    It is ridiculous to think that MS only considers bugs that are found in the wild.

    I can imagine however they prioritize patches for bugs found in the wild. that is only logical. And it seems Moore is trying to get his bugs on that priority list and get some publicity for it.

    Amazingly just days after Moore has publicized the exploit it is not found in the wild. Especially used for spreading the extremly anoying well known CoolWebSearch malware. With the exploit mediocre hackers can now easily adept existing malware to profit from a new eploit and many thousands of people, mayby even millions will have their computer filled with junk just thanks to Mr Moore.  

  26. Aedrin says:

    Eat hot dog?

    I wonder if Fduch only dislikes Microsoft because it is an american company…

    As I’ve pointed out before. You do not help anyone by creating an exploit to "force" Microsoft to fix it.

    When you do that, you are part of the problem. Moore is thus part of the problem of security. No amount of "but I’m only trying to help the consumer"s will make you look any better.

    Every single product out there has security flaws and bugs. This is because as much as you want it, perfect does not exist.

    FireFox claims to have 0-1 day patches. This only applies to those downloading development builds. IE (every month) actually releases patches more often than FireFox (every 2 months recently).

    As the user base of a product grows, there is a lot more involved than just fixing the bug.

  27. jmzl666 says:

    "FireFox claims to have 0-1 day patches. This only applies to those downloading development builds."

    Thats just stupid, one thing is how long it takes to create, test and release a patch and another how long it takes the users to install it, 0-1 day its the time after the patch is released.

    "IE (every month) actually releases patches more often than FireFox (every 2 months recently)."

    Repeat that at loud, and now think, which product will you trust more?

    I think the IE Team is doing a great job (except for the JS engine), but come on, at least think before you speak.

  28. Aedrin says:

    "Thats just stupid, one thing is how long it takes to create, test and release a patch and another how long it takes the users to install it, 0-1 day its the time after the patch is released."

    It is much more important when the general user has the patch applied, than when it is just available. Few people will download the patches by themselves. I’m looking at the most common user, not the technically savvy person using Linux.

    "Repeat that at loud, and now think, which product will you trust more?"

    If I’m a company deciding between those two, and I know that one of them has a regular+scheduled update process which is montly, versus a random "as it gets done" release schedule which is bi-monthly. Well, obviously I will choose the first one.

    Just because it makes sense to you – and I’m assuming you are more technically experienced than the average browser – doesn’t mean that it will work for the average user at home or at work. Most users will not update unless it is done for them, through Windows Update, or internal product updates.

  29. James says:

    Hi all,

    I’m sorry this post is off-topic, but I really need to submit bug around IE7. I visited Microsoft Connect, however, I can’t find IE7 entry in the available connections list.

    Could anyone help?

    Thanks,

    James.

  30. ieblog says:

    @James

    Here is a link to the IE7 support page that will help guide you through your feedback reporting options. Thank you for taking the time to report your bug to the IE Team.

    http://www.microsoft.com/windows/ie/support/default.mspx

  31. DR_DREW says:

    2 Annoying Bugs:

    Does anyone else have the issue with RC1 where when you are in the favorite center and you right click a folder and click "sort by name" nothing happens and the favorites remain out of order?

    Also, if you are in a standard folder (such as "My Documents") and go the favorites on the top menu, whatever link you open opens TWICE.

  32. PatriotB says:

    @Fduch — "But then why isn’t IE7 affected?"

    ActiveX Opt-in.  I went to H.D. Moore’s repro page, and it causes the gold bar to appear and ask me if I want to run the ActiveX control.

    For the majority of users, this will stop these type of exploits in their tracks.  However, there are always those users that will ignore the risk and go through the 2+ click process to see the "dancing bunnies."

  33. Bologna says:

    I have a hunch that IE7 final will be released this month along with the OCTOBER SECURITY UPDATES! =)

  34. The ActiveX opt-in is a good thing but how do I reset my preferences once I had accepted one?

    @ IE Marketing team

    In regards to PR I would recommend to clearly state in any MS advisory or press release whether IE7 is affected or not.

  35. Kim Calhoun says:

    I did not at all care for the design layout of IE7.

    I uninstalled it, and hope to never be forced to use it.

    The new design features all seem to be big oversized blocks of uselessness.

    I don’t care for the Search always being th and obtrusive.

    For one thing, not any of the search places I use on a daily basis is on the list to set for default. Why do I have to be forced into using a website that I don’t want to use?

    Not cool.

    Then I could find no way in which to exit the search box off the browser.

    I don’t want a big, useless search box on my browser.

    Then there is the tab browsing obtrusive box.

    What to heck is this? Nothing but wasted space…again.

    I already have the url address showing up in the address bar. I like the address bar being sleek and narrow.

    Again, I could find no way in which to exit out of this ridiculous feature.

  36. Fduch says:

    @ Aedrin

    >I wonder if Fduch only dislikes Microsoft

    Actually I love Microsoft. And I like and use IE7 since the first beta. But sometimes MS/IE7 are a bit hard to love.

    Of course when I’m not in this blog I defend MS/IE as long as what I am saying remains true.

    @hAl

    >It is ridiculous to think that MS only considers bugs that are found in the wild.

    Not long ago I stumbled upon a page where a member from some small security team "blogged" about a a bug/hole he found in MS SMB protocol. He first thought that was a mailslot bug, but then found out it wasn’t. The bug was very easy to use. Like sending a simple string to SMB service. To cut long story short, he wrote to MS about it. They answered that there was no exploit. He wrote that writing exploit is very easy and sent little PoC exploit. MS answered that they didn’t see any exploit using the vulnerability in the wild, and communication stopped.

    Speaking of Moore:

    What vulnerabilities from his list were patched? (Don’t forget that before he published the list he (I think) contacted MS and waited for at least a month)

    Only vulnerabilities actively used for exoploiting were patched.

  37. Fduch says:

    @Mr very-witty Kim Calhoun

    >Then I could find no way in which to exit the search box off the browser.

    It’s right before your nose. But you must have eyes to find it.

    >The new design features all seem to be big oversized blocks of uselessness.

    Can you provide your mail address so that I can send you a ruler to compare IE6 and IE7 (+FF and Opera). Or maybe you’d prefer monocle?

    >For one thing, not any of the search places I use on a daily basis is on the list to set for default. Why do I have to be forced into using a website that I don’t want to use?

    What are your secret ultimate search engines?

    What were  you doing when you used IE6? you were "forced" not to use search at all?

    >Again, I could find no way in which to exit out of this ridiculous feature.

    Hint: use your eyes to find the clue

    >I already have the url address showing up in the address bar. I like the address bar being sleek and narrow.

    If address bar would be narrow then how would you see your url?

  38. hAl says:

    @fduch

    I develop/design software. Waiting a months means nothing to me. We on average solve software bugs in about half a years time.

    We could possibly do it a lot faster but we generally consider the needs of the users and ot just from the testers that found the bugs.

  39. hAl says:

    A question for the IE team.

    Will the build 5743 of Vista that is the friday RC2 release contain a newer version of IE7 ?

  40. Aedrin says:

    Fduch, the general topics of your posts do not seem very positive towards Microsoft.

    @Kim Calhoun

    "For one thing, not any of the search places I use on a daily basis is on the list to set for default. Why do I have to be forced into using a website that I don’t want to use?"

    That is why you can add search providers, by yourself or through other people.

    "The new design features all seem to be big oversized blocks of uselessness."

    Do you have a 14"/15" screen? If so, I’d recommend you to update. That might have been the standard in 1995 but this is 2006 and people use 19", at least 17".

    I can’t think of any other reason why you would complain about the design’s size, because it is not "big" and "obtrusive".

    Unless of course you are here just to complain because it is cool.

  41. jmzl666 says:

    "It is much more important when the general user has the patch applied, than when it is just available."

    I agree with that, but your last post was comparing apples to oranges, one thing is the time used to release the patch and another the time frame needed to install the patch in the user base, Firefox average I day to release the patch,  Microsoft one month (for what ever reason you like), that is the way is going to be always, the Firefox team does not have to worry about breaking another app or even the OS.

    "Few people will download the patches by themselves. I’m looking at the most common user, not the technically savvy person using Linux."

    You are forgetting one thing, Firefox also has an auto update feature, and in general Firefox users are more savvy than IE users, but lets assume that bot user base are equally savvy, why do you assume that IE is updated faster than Firefox?, where are the numbers that show that  IE is patched in a month or two and Firefox in 4?, I don’t have any problems with IE users or fans, but at least show some data that prove you right.

    "If I’m a company deciding between those two, and I know that one of them has a regular+scheduled update process which is montly, versus a random "as it gets done" release schedule which is bi-monthly. Well, obviously I will choose the first one."

    Well that’s the problem, i don’t know why you assume that the patches are "as it gets done", patches are released when problems arise, and the "regular+scheduled update process" you love is just for security updates, all the new features and upgrades in performance are in the 6-12 months cycle.

    This kind of comments bothers me, if you don’t know about a subject is better to keep the mouth shut, is like i start saying that Microsoft left you without updates for 6 years and all the ones using IE are going to burn in hell, luckily that is not the case anymore.

  42. EricLaw [MSFT] says:

    @hAl: Each new build of Vista contains the then-latest build of IE.

  43. Aedrin says:

    @jmzl666

    "I agree with that, but your last post was comparing apples to oranges, one thing is the time used to release the patch and another the time frame needed to install the patch in the user base, Firefox average I day to release the patch,  Microsoft one month (for what ever reason you like), that is the way is going to be always, the Firefox team does not have to worry about breaking another app or even the OS."

    I apologize if I confused you about what I meant. I was trying to compare the time between updates to the browser without requiring action.

    FireFox currently cannot break any outside applications. But, they do regularly break extensions which is a seperate problem though.

    "You are forgetting one thing, Firefox also has an auto update feature, and in general Firefox users are more savvy than IE users, but lets assume that bot user base are equally savvy, why do you assume that IE is updated faster than Firefox?, where are the numbers that show that  IE is patched in a month or two and Firefox in 4?, I don’t have any problems with IE users or fans, but at least show some data that prove you right."

    I said that IE is every month, while FireFox is every 2 months. If you look at the last few automatic updates to FireFox you’ll see there is on average 1.5-2 months in between them.

    1.5.0.1 February 1

    1.5.0.2 April 13

    1.5.0.3 May 2

    1.5.0.4 June 1

    1.5.0.5 July 27

    1.5.0.6 August 2

    1.5.0.7 September 14

    The following link suggests that a new release contains fixes for more than 1 issue:

    http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

    So who decides when it is released? What is the criteria, where do they talk about it? This is why I said "as it gets done" type release schedule. Though I suppose the proper stereotype would be "it’s done when we say it is done".

    Remember, I’m not talking about when a patch is available, but when the automatic update containing the patch is released, as that is what the largest part of the userbase will be part of.

  44. BigAl says:

    Please, Microsoft, release IE7 with the comming patch day. Vista will be Gold later this month so IE 7 is probably finished by now. If it’s not finished now, please release it with November patch day. Some of the latest vulnerabilities didn’t affect IE7 so it’s safer than IE6. Millions of customers could benefit from a fast release.

  45. hAl says:

    @BigAl

    I would hope they do not decide to release IE7 as a patch on patchday.

    I hope they will do a phased upgrade cycle where they will start to upgrade relativly smaller groups of people first just in case there are unforseen difficulties with the upgrading proces. I asume there might still be some troublesome old add-ons around for instance that could cause havoc amongs upgraders.

    Then they should slowly upgrade the rest of the windows XP population.

    All in all I think taking a month or more to do the upgrades for all XP versions wouldný be so bad.

  46. BigAl says:

    @hAl

    Nice idea. If they would provide IE7 for download in mid October and via automatic update in November, that would make roll-out smoother and give more time to fix issues that may arise. After all I think it should be released to public at november patch day at the latest. If it’s in december the issues may appear just in the peak xmas business season. So if it’s november there is more time to fix problems.

    I don’t think there will be so many problems with IE7. Just like the year 2000 hipe. In the end everything worked much better than expected.

  47. Aedrin says:

    I just hope that most users will accept the update and review it with an open mind. Not discard it because it is different. At least people seem to be embracing Office 2007. If that can be different and do good, hopefully IE7 can too.

Skip to main content