Windows attack code made public

Computer code that exploits a security vulnerability in Windows has been published on the internet, making it more urgent for users of the operating system to patch.

The attack code exploits a flaw in the way Windows handles Vector Markup Language, or VML, documents, which are used for a type of high-quality graphic on the web. The bug lies in a Windows component called 'vgx.dll' which supports these files.

Microsoft provided a fix for the flaw last week with security bulletin MS07-004. At the time, the company warned it had already seen limited cyber attacks exploiting the vulnerability. However, attack code hadn't been available publicly. Yesterday, however, exploit code was published to a widely read online security forum.

A company representative said in a statement: "Microsoft is aware that detailed exploit code was published on the internet that may take advantage of the vulnerability addressed by Microsoft security bulletin MS07-004. Microsoft encourages all customers to apply the most recent security updates."

Prior to the public posting of the exploit, other code that takes advantage of the flaw had been made available to users of a security testing tool made by Immunity. However, these attack blueprints are private, supplied to people who pay for the tool.

Functionality of the public exploit code appears to be limited, Symantec said in an alert to users of its DeepSight security intelligence service. It was unable to get the exploit to work on English language versions of Windows XP and Windows 2000, the company said. Still, the exploit could provide a starting point for other hackers, the security company said.

According to the Symantec alert: "The author has posted the exact location of the flaw, shown in a screen shot from a binary analyser, increasing the likelihood of other exploits being developed."

The VML flaw is similar to a bug for which Microsoft rushed out a fix in September after Windows users came under attack. The vulnerability can be exploited by tricking a user into viewing a malicious VML file on a website with Internet Explorer.

All recent versions of Windows are vulnerable when all recent versions of IE, including IE 7, are in use, according to Microsoft. The exception is Windows Vista, which is not impacted, the software maker said. Microsoft's patches are distributed via Automatic Updates and on the company's Microsoft Update downloads website.

Joris Evers writes for CNET News.com