BugBlog Home
BJK Research Home
BJK Research Home

Did the BugBlog help you? Donate via PayPal to say thanks.

Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.

Jump to the BugBlog archives

Dec 06
Nov 06
Oct 06
Sept 06
Aug 06
July 06
June 06
May 06
Apr 06
Mar 06
Feb 06
Jan 06
Dec 05
Nov 05
Oct 05
Sept 05
Aug 05
July 05
Jun 05
May 05
Apr 05
Mar 05
Feb 05
Jan 05
Dec 04
Nov 04
Oct 04
Sep 04
Aug 04
Jul 04
June 04
May 04
Apr 04
Mar 04
Feb 04
Jan 04
Dec 03
Nov 03
Oct 03
Sept 03
Aug 03
July 03
June 03
May 03
April 03
Mar 03
Feb 03
Jan 03
Dec 02
Nov 02

Amazon.comOrder books and more at Amazon.com

Win 2K Secrets
Order Windows 2000 Secrets from Amazon.com



BugBlog Bug of the Month

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

This month the Bug of the Month goes to Microsoft, for the VML bug.

It first showed up in the 9/20 BugBlog:
There is another buffer overflow in Microsoft Internet Explorer 6. This one occurs in the way that IE handles Vector Markup Language (VML), and will let attackers run their own code on your computer. Fully-patched versions of IE are affected, and it is reported that this bug is being used on Russian porn sites, and will probably spread. If Microsoft Outlook or Outlook Express are configured to automatically open HTML messages, they are also vulnerable. It looks like Microsoft is aiming for October's Patch Tuesday for issuing a fix. In the meantime, you can either switch to an alternative browser like Mozilla Firefox (which isn't affected), turn off JavaScript, or unregister vgx.dll. Computerworld shows how to do this at http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003468

On 9/23:
Microsoft has an entry on their Security Blog talking about the VML bug in Internet Explorer. They say the bug isn't being exploited as much as other people say, and they are also worried about third-party patches. Of course, one of the reason people turn to third-party patches is because they don't want to wait for October's Patch Tuesday. The blog post, at http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx, at least hints that a patch may be released sooner.

On 9/26:
The Internet Storm Center reports that there is much more hostile activity targeting the VML security bug in Microsoft Internet Explorer. They say "The exploit is widely known, easy to recreate, and used in more and more mainstream websites." Actions you can take include using some browser other than IE, or deregistering the problem DLL file, Vgx.dll. They show how to do that at http://isc.sans.org/diary.php?storyid=1727, and have a further series of reports.

And finally on 9/27came the patch:
Microsoft has issued an out-of-cycle security bulletin (meaning they didn't wait for Patch Tuesday) for the VML Buffer Overrun bug in Microsoft Internet Explorer. This bug was being actively exploited by hostile web sites, and could completely take over your computer, as shown in the 9/26 and 9/20 BugBlogs. Get the patch at http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx.

Also on 9/27:
While Microsoft has said that attacks via the VML bug (patched on 9/27 in a special security bulletin) were "limited", security researchers at iDefense calculate that at least 2000 domains were hijacked and/or modified so that visitors were sent to domains that exploited the VML bug. At least one ISP says their servers were compromised via an unrelated bug which then planted the VML exploit. Read more at http://www.eweek.com/article2/0,1895,2020889,00.asp.

Why this bug? For starters, Microsoft doesn't often release a special security patch, outside of their regular Patch Tuesday rotation. They did that even though they were saying, before the release, that they didn't think it was that significant. Second, of course, is the potential impact -- way too many people are still using Microsoft Internet Explorer. The third reason is the extent of the damage -- the number of websites either exploiting or infected by this, plus the fact that victim's can have their computers zombified.


Previous Bugs of the Month

September 2006: Sony Batteries

August 2006: Microsoft Windows Genuine Advantage

July 2006: Yahoo! Mail

June 2006: Symantec Enterprise AV

May 2006: Microsoft Wins Special Lifetime Achievement Bug Award

April 2006: Adobe Macromedia Flash Player

March 2006: Microsoft Windows Media Player

Feb 2006: Apple QuickTime

Jan 2006: Microsoft WMF Bug

Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed

November 2005: Four Separate Bugs Leave Windows Open to Takeover

October 2005: Acrobat Screws Up MS Word

September 2005: Apple Security Update Breaks 64-bit Apps

August 2005: Cisco IOS Vulnerable to IPv6 bug

July 2005: RealNetworks Fixes Four Bugs in Their Media Player

June 2005: Flawed Rollout for Netscape 8

May 2005: TCP/IP Fix for Windows

April 2005: Denial of Service against Symantec Norton AntiVirus

March 2005: IDN Spoofing Bug

February 2005: Windows Animated Cursor Bug

January 2005: Windows Firewall Problems with Dial-up connections

The Bug of the Month is also posted at Blogcritics.org