Microsoft slaps quick fix on IE flaw

Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its scheduled release date.

The company is breaking with its monthly patch cycle to fix a flaw that cyber crooks have been using to attack Windows PCs via Internet Explorer. Malicious software can be loaded, unbeknown to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a website or in an email.

Alex Eckelberry, president of anti-spyware toolmaker Sunbelt Software, said in an email interview: "This was an excellent move on the part of Microsoft, and we're pleased to see them respond to the concerns of the security community." Sunbelt had been monitoring attacks that exploit the flaw, which it said have been increasing.

The vulnerability, first reported last week, lies in a Windows component called 'vgx.dll'. This component is meant to support Vector Markup Language (VML) documents in the operating system. VML is used for high-quality vector graphics on the web and is used for viewing pages in the IE browser that is part of Windows. Microsoft deems the flaw "critical", its highest severity rating.

Microsoft said in security bulletin MS06-055: "An attacker could exploit the vulnerability by constructing a specially crafted web page or HTML email that could potentially allow remote code execution if a user visited the web page or viewed the message."

The vulnerability does not apply to IE 7, the upcoming version of IE that is available right now in a pre-release form, Microsoft said.

Microsoft typically releases fixes each second Tuesday of the month, which has become known as Patch Tuesday. The last time the software maker rushed out a fix was in January, when another image-related flaw in IE was being used to compromise Windows PCs through malicious websites.

Security experts had pushed Microsoft to rush out a fix for the VML flaw. A group of security professionals even crafted an unofficial fix for the problem, which was released on Friday.

Ken Dunham, director of the rapid response team at VeriSign's iDefense, said: "Exploitation has already eclipsed that of the last out-of-cycle patch. It appears that there were several million domains that were redirecting to malicious VML sites."

Microsoft's security update is being pushed out to Windows users via Automatic Updates and will also be available on Windows Update.

Joris Evers writes for CNET News.com