Microsoft released a security patch outside of its normally scheduled monthly patch release cycle to address a critical vulnerability in Internet Explorer.
The update for IE, MS06-055, "Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)", should be applied to all Windows 2000, Windows XP, and Windows Server 2003 systems, including Windows Server 2003 R2. The update corrects a problem in the Vector Markup Language (VML) processing of the browser. The vulnerability has been publicly known for over a week and exploits are circulating on the Internet.
Microsoft said on Tuesday, September 26, that according to it data the number of attacks is limited. However, according to Ken Dunham of Verisign iDefense, "Most exploitation took place on \[over 1,800\] servers with several hundred thousand sites \[and possibly up to 3 million sites becoming\] injected with hostile iFrame links \[that redirect\] users to a remote hostile VML exploit site" Dunham added that VeriSign iDefense confirmed successful attacks on 45 large networks with one network experiencing well over 10,000 successful exploits.
The vulnerability is critical because could allow remote intruders to take complete control of an affected system. Administrators should apply Microsoft's patch as soon as possible.