Windows’s VML implementation – is it so difficult to patch?

When looking into this week’s Redmond patches there was a critical patch for Vector Markup Language component Vgx.dll – again.
The newest flaw exists in handling of compressed content and it’s heap overflow type vulnerability. The issue was discovered by Mr. Derek Soeder of eEye Digital Security.

Most of us remember the VML 0-day case in September ’06. ZERT released a 3rd party fix and Microsoft pushed out their official update before the monthly September bulletins. Details about the vulnerability and the case can be found from my Windows VML Vulnerability FAQ (CVE-2006-4868] document.

The reporting timelines of three newest VML issues below:

#1: fill method buffer overflow – Vgx.dll
18-Sep-06 Sunbelt Software contacted the vendor
Person who discovered this 0-day flaw is not known
25-Sep-06 MS06-055 is out

#2: Recolorinfo integer overflow – Vgx.dll
03-Oct-06 Vendor was contacted by iDefense
09-Jan-07 MS07-004 is out

#3: Compressed content heap overflow – Vgx.dll
24-Oct-06 Vendor was contacted by eEye
14-Aug-07 MS07-050 is out

Related to issue #2 Microsoft stated the following:

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes.

The fact is that Microsoft was aware of the latest vulnerability, i.e. issue #3 almost ten months.

Share
  • Harry H.

    Shouldn’t it be 24-0ct-06 not 07 that the vendor was contacted by eEye?

  • http://networksecurity.typepad.com/ Juha-Matti

    Yes. Thanks, fixed!

  • suc

    http://research.eeye.com/html/advisories/published/AD20070814a.html
    Internet Explorer 7 silently fixed the vulnerability roughly ten months ago, due to a change in URLMON.DLL’s behavior when reading compressed content.