Security Update for Windows Vulnerability in Vector Markup Language


Hi folks, this is Geoff again, IE Program Manager focused on security updates. A Windows Security Update was released today for a vulnerability in the Windows VML (vector markup language) component that can result in remote code execution. Although this is not an IE code vulnerability, we feel it is important to mention that IE can be used as an attack vector for the exploit. We strongly recommend that you visit Microsoft Update or Windows Update to check for this and any other critical security updates required to protect your systems(s) from potential attacks. 

For further information on this vulnerability and the location of the update please see the following links:

I also want to mention that IE7 on Vista IS NOT affected by this vulnerability as a newer version of the control was released in Windows Vista.

Thank you for taking the time to read this post and have a great day!

Geoff Silva
Program Manager

Comments (9)

  1. Xepol says:

    Uh, does anyone anywhere actually use the vector markup?  I can’t think of a single instance anywhere.  An exploit might be the single actual instance of it being used.

    Anyone?  A good example might be interesting (non exploit, preferably)

  2. Anonymous says:

    ok, in the details of the vulnerability, it states "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message."

    but you say, "Although this is not an IE code vulnerability"

    for those of us, that see this as a direct conflict of terms, can you elaborate on how this is not an IE issue?

    I read it as, "If I visit a naughty page in IE6/7 (and I’m running with admin priv. (like everyone in pre-vista is)) my computer is open to remote code execution"

    Sounds to me, like IE is the issue.  If I were to visit in another browser like opera, would I still be affected?

    glad to hear that vista isn’t affected though! something must have improved there!

    oh, so the "home server" that Mr. Gates touted at CES, does it support backups where you can actually specify the file extensins?  I tried it in vista and was quite disapointed.

  3. Anonymous says:

    "I also want to mention that IE7 on Vista IS NOT affected by this vulnerability as a newer version of the control was released in Windows Vista."

    Well, but at least Windows Vista RC1 *is* affected, even though IE7 on Vista may not be:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=052484bf-2fd4-4922-b1a9-1f0da9bc727b&DisplayLang=en

    Bye,

    Freudi

  4. Anonymous says:

    VML requires Activex control to be explicit enabled by the user.

  5. Anonymous says:

    @Ottmar

    Windows Vista RTM is NOT affected.

  6. Anonymous says:

    Thanks for mentioning, glad I read this *before* Windows Update notified me it had downloaded new updates.

    (Anyone else hate self-proclaimed security software that thinks your computer is insecure when you’ve set it to "download" and KEEPS reminding you of it EVERY TIME YOU LOG ON TO WINDOWS?!)

  7. Anonymous says:

    don said:

    I read it as, "If I visit a naughty page in IE6/7 (and I’m running with admin priv. (like everyone in pre-vista is)) my computer is open to remote code execution"

    Sounds to me, like IE is the issue.  If I were to visit in another browser like opera, would I still be affected?

    —-

    If opera was using the same DLL for VML rendering (which I don’t think it is) , opera would also be vulnerable.

    Think of another example: think of a 3rd party plugin for rendering say PDF files, that has a security vulnerability. It is clear how this is not an IE problem, but you are still vulnerable when visiting a ‘specially crafted page’. Other browsers who use the same plugin will be equally vulnerable.

    Now VML may not be part of the IE code, but it is still a Microsoft component, so I appreciate getting a heads up.

  8. Anonymous says:

    @Xepol You want an example of an application that use vml, google earth uses vml to draw polylines.

    @Mark I doubt any other browsers use the vml plugin as they have moved onto bigger and better things e.g. svg and canvas.

  9. Anonymous says:

    SVG is created when the W3C refused to make VML into an recommendation.

    Micrsoft had offered VML as an open standaard to the W3C. I think Micrsoft, after getting snubbed like that by the W3C on VML, might not consider supporting SVG in IE or in any other software component as any kind of priority.

    Probably if W3C had accepted VML and developed it into SVG then vector graphics would have been commonplace on the internet by now.