|
ALARM Group ALERT - click for a description of ALARM, The Computing Alert System
Alert Number: 091906-01
Alert Date: 9/19/06
Alert Title: *UNPATCHED* VML vulnerability in Internet Explorer
Update-to: none
OS/Platform/Application:
Microsoft Internet Explorer version 5 and later
Category: ALERT
Severity: HIGH
Attention: System Administrators, Desktop Support Personnel, IE users
|
Summary: On September 19 2006 Microsoft released security advisory 925568. This advisory addresses a vulnerability in an Vector Markup Language (VML) that when exploited could allow a remote attacker to gain control of a victim system. The most probable vector of exploitation is the viewing of a specifically-crafted website, either by browser or clicking a link in an email message. At the time of this writing (4:21 PM EST 9/19/06) several Internet Security-Related agencies are reporting the existence and public release of proof-of-concept code to exploit this vulnerability. No patch has yet been made available by Microsoft to definitively fix the issue. Security Advisory 925568 does offer some advice on best practices to minimize the risk of exploit (such as avoiding the visitation of untrusted websites and clicking on untrusted links in email messages).
Recommended Actions: Persons who manage, maintain or use Windows systems that run IE 5.0 and later are encouraged to read Security advisory 925568 (and the other associated information; links are provided below) to obtain a better understanding of the vulnerability.
ITS Actions: At this time, ITS is taking no specific additional actions to address this software vulnerability. An update will be issued if the situation changes.
Resources:
