Microsoft offers emergency patch for IE bug

LOS ANGELES, Sept. 26 (Xinhua) -- Microsoft on Tuesday released a patch for a critical flaw in its Internet Explorer web browser, ahead of its next scheduled round of security updates.

Breaking its monthly patch cycle, the software maker said hackers had been using the flaw to attack computers via the Internet.

Malicious software can be loaded, unbeknown to users, on to a vulnerable Windows computer when users click on a malicious link, Microsoft said, adding that for more than a week, and in recent days especially, malicious activity had been on the upswing.

The patch will fix vulnerability in the way that Internet Explorer renders VML (Vector Markup Language) graphics, according to a security bulletin released by the company.

The out-of-cycle release is unusual, since Microsoft generally releases its security updates on the second Tuesday of every month, giving system administrators a predictable way to set aside time to test the new software.

The last time the software maker rushed out a fix was in January, when another image-related flaw in the IE browser was being used to compromise Windows PCs through malicious websites.

With attack code that works on the latest version of Windows XPnow publicly available, the flaw is emerging as a very serious concern for administrators, security experts said, while pushing Microsoft to rush out a fix for it.

There are currently more than 3,000 websites infecting users with malware that exploited the deficiency, said Ken Dunham, an expert with the Internet security firm Verisign.

"Exploitation has already eclipsed that of the last out-of-cycle patch," Dunham told CNET news. "It appears that there were several million domains that were redirecting to malicious VML sites." Enditem

http://news.xinhuanet.com/english/2006-09/27/content_5144342.htm