Patch released for high profile VML vulnerability

A patch for the high profile VML Vulnerability has been released by Micrososoft. It resolves not only the public vulnerability but also additional issues discovered through internal investigations. It is available via Windows Update, Microsoft Update, Autoupdate and WSUS.

It only applies to IE5 and IE6 machines. IE7 is immune to this (and most other) vulnerabilities.

Security Bulletin here:
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

Microsoft Security Response blog:
http://blogs.technet.com/msrc/archive/2006/09/26/459194.aspx

Important notes:

If the workaround “Modify the Access Control List on Vgx.dll to be more restrictive” has been applied to systems, the security updates provided may not install correctly. See the Workarounds for VML Buffer Overrun Vulnerability – CVE-2006-4868 section in this security bulletin for instructions on how to revert this workaround before applying this security update.

You may also wish to review Jesper's comments about reversing mitigations that may have been applied to your system:
http://msinfluentials.com/blogs/jesper/archive/2006/09/26/VML-Patch-Is-Out-_2D00_-Unapply-The-Mitigations.aspx

Published Wed, Sep 27 2006 7:00 by sandi

Comments

# re: Patch released for high profile VML vulnerability

Tuesday, September 26, 2006 6:35 PM by sandi

Note: there will be a webcast about this release: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032311209&EventCategory=4&culture=en-US&CountryCode=US

Spyware Sucks

Blog Recent Posts

Syndication

Search

News

Blog Archive List

Tag Cloud