VML flaw prompts Microsoft to release IE fix ahead of time

After the news that attackers had started exploiting the security exposures to take control of computers, the software giant Microsoft on Tuesday has launched a security fix to mend a security flaw, in its Internet Explorer Web Browser which the company explained could enable an attacker to take control of a user's system.

The flaw classified as ‘critical’, existed in the coding for Vector Markup Language (VML), a software component used to display images. The flaw could enable an attacker to take control of user’s PC either through a specially crafted website, or by sending out spam email messages. It starts executing when the user views a specially crafted web page encoded with the VML exploit that allows the cyber-criminals to remotely execute code without the user's knowledge.

According to the company, the flaw becomes "critical" when the vulnerability allows a damaging web worm to simulate without the user doing anything to the system.

The Redmond, US based software maker actually slated to launch its security patch on Oct. 10, but rolled it out two weeks ahead of scheduled date as the company could not wait for the severity of the bug and secondly it became cognizant of a "public attack utilizing the vulnerability".

The VML vulnerability was first detected last week, when a small group of websites in Russia began exploiting the un-patched vulnerability. The misuse of the vulnerability became far-flung over the weekend after the inclusion of the exploit in a malware toolkit known as 'WebAttacker' made it easier to target.

According to the security experts, computer users could come under attack just by visiting a website that had been kneaded to take advantage of the flaw. That instead would give an attacker full control of a user's system, including access to personal information and other data.

Stephen Toulouse, senior product manager in Microsoft's security technology unit, said Microsoft had, though, only seen very limited attacks since the flaw became public a little over a week ago, yet he said the activity was enough to incite the company to launch the update ahead of release time.

"What we're seeing from our end are very specific, limited attacks," he said.

The software major has been working for more than three years to improve the security and reliability of its software as more and more venomous attacks target weaknesses in Windows and other Microsoft software.

The experts recommend that users must apply the patch as soon as possible. The update can be acquired through the built-in auto-update feature in Windows or from the Microsoft website.