Windows’s VML implementation – is it so difficult to patch?
When looking into this week’s Redmond patches there was a critical patch for Vector Markup Language component Vgx.dll – again.
The newest flaw exists in handling of compressed content and it’s heap overflow type vulnerability. The issue was discovered by Mr. Derek Soeder of eEye Digital Security.
Most of us remember the VML 0-day case in September ’06. ZERT released a 3rd party fix and Microsoft pushed out their official update before the monthly September bulletins. Details about the vulnerability and the case can be found from my Windows VML Vulnerability FAQ (CVE-2006-4868] document.
The reporting timelines of three newest VML issues below:
#2: Recolorinfo integer overflow – Vgx.dll
03-Oct-06 Vendor was contacted by iDefense
09-Jan-07 MS07-004 is out
#3: Compressed content heap overflow – Vgx.dll
24-Oct-06 Vendor was contacted by eEye
14-Aug-07 MS07-050 is out
Related to issue #2 Microsoft stated the following:
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
The fact is that Microsoft was aware of the latest vulnerability, i.e. issue #3 almost ten months.