The third-party patch comes in advance of any fix from Microsoft, which has acknowledged the flaw in IE that opens the door to attackers via a graphics standard, but says an official patch may not be ready in time for the next Patch Tuesday.
The Ars Technica blogger gives a nod to many of the ZERT team members, including a Sabre Security exec and an IOS expert from Cisco. But he still wonders about using a patch that relies on code disassembly and not technical support from the original vendor (a hangup not shared by many commentors to this post).
In a separate report, The Register notes that security vendor PatchLink has released a more limited workaround for the VML flaw.
We'd also concur with The Register that more and more third parties will rush out fixes for zero-day attacks as the threats proliferate and Redmond continues to take its sweet time in responding. You can't count on user common sense to simply dodge bullets like this for a month or longer.
In a report Friday at internetnews.com, a security vendor warned that a VML-based e-mail attack -- which could launch without user action from the Outlook preview pane -- may soon hit.