Third-Party Patch for IE VML Flaw Just Start of Zero-Day Trend


At least one blogger at Ars Technica is a little worried about the VML vulnerability patch released over the weekend by a group calling itself the Zeroday Emergency Response Team, or ZERT.


The third-party patch comes in advance of any fix from Microsoft, which has acknowledged the flaw in IE that opens the door to attackers via a graphics standard, but says an official patch may not be ready in time for the next Patch Tuesday.


The Ars Technica blogger gives a nod to many of the ZERT team members, including a Sabre Security exec and an IOS expert from Cisco. But he still wonders about using a patch that relies on code disassembly and not technical support from the original vendor (a hangup not shared by many commentors to this post).


In a separate report, The Register notes that security vendor PatchLink has released a more limited workaround for the VML flaw.


We'd also concur with The Register that more and more third parties will rush out fixes for zero-day attacks as the threats proliferate and Redmond continues to take its sweet time in responding. You can't count on user common sense to simply dodge bullets like this for a month or longer.


In a report Friday at, a security vendor warned that a VML-based e-mail attack -- which could launch without user action from the Outlook preview pane -- may soon hit.

Add Comment      Leave a comment on this blog post
Sep 25, 2006 10:30 AM alan shimel alan shimel  says:
I agree, though I am not a fan of 3rd party patches, I think they are here to stay.  I wonder if Patchlink realizes they can get more PR and goodwill be making the workaround available to all then by just giving to their own customers.  I have written about this on my blog and tracked back. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.