Microsoft battles Internet Explorer exploits

It’s been another furious couple of weeks for Microsoft’s security response center, which last week took the unusual step of releasing an emergency security update to patch a hole that appeared to get bigger with each passing day.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

The vulnerability, discovered on Sept. 18, allowed an attacker to gain complete control of a Windows PC by exploiting a flaw in the way the operating system renders graphics based on VML (vector markup language). Within four days, miscreants unleashed a torrent of exploits in a coordinated attack that redirected Web surfers to locations that installed spyware and Trojans.

Microsoft prefers to issue patches on the second Tuesday of each month, so that system administrators would have time to plan for them. This time, however, it had little choice but to issue an update immediately. It was only the second time this year the company has offered an off-of-schedule update.

Security professionals applauded. “Another week and this would have gotten much worse, and another two weeks and it would have reached epidemic proportions,” said Eric Sites, vice president of research at Sunbelt Software, the firm that first warned of the flaw.

Although the VML scare appeared to abate following the release of Microsoft’s patch, like a B-movie monster, the threat refused to die. A week after discovering the VML vulnerability and a day before Microsoft issued its update, Sunbelt found new attacks in the wild that exploited yet another previously unknown Windows flaw.

So far the new vulnerability that affects Internet Explorer is not much of a threat because the code that’s attacking it is poorly written. That, however, is not much of a consolation to Sites. “Somebody who’s a good reverse engineer could probably fix that so that [the attacks] would be totally reliable,” he said. “With Microsoft releasing the [VML] patch, this may become popular.”

The episode highlighted differences between Microsoft’s security team and some security professionals who fault Microsoft for not moving more quickly to fix vulnerabilities. Microsoft argues that thorough testing and advanced notice to customers are essential. So when a group called the Zeroday Emergency Response Team issued an unofficial patch a few days after the VML flaw came to light, a security response center operations manager at Microsoft, which was still mulling an expedited patch, blogged that it was great that third parties were trying to protect customers, even as he withheld his endorsement of the patch itself.