Third-Party Patch for IE VML Flaw Just Start of Zero-Day Trend

Ken-Hardin

At least one blogger at Ars Technica is a little worried about the VML vulnerability patch released over the weekend by a group calling itself the Zeroday Emergency Response Team, or ZERT.

 

The third-party patch comes in advance of any fix from Microsoft, which has acknowledged the flaw in IE that opens the door to attackers via a graphics standard, but says an official patch may not be ready in time for the next Patch Tuesday.

 

The Ars Technica blogger gives a nod to many of the ZERT team members, including a Sabre Security exec and an IOS expert from Cisco. But he still wonders about using a patch that relies on code disassembly and not technical support from the original vendor (a hangup not shared by many commentors to this post).

 

In a separate report, The Register notes that security vendor PatchLink has released a more limited workaround for the VML flaw.

 

We'd also concur with The Register that more and more third parties will rush out fixes for zero-day attacks as the threats proliferate and Redmond continues to take its sweet time in responding. You can't count on user common sense to simply dodge bullets like this for a month or longer.


 

In a report Friday at internetnews.com, a security vendor warned that a VML-based e-mail attack -- which could launch without user action from the Outlook preview pane -- may soon hit.



Add Comment      Leave a comment on this blog post
Sep 25, 2006 10:30 AM alan shimel alan shimel  says:
I agree, though I am not a fan of 3rd party patches, I think they are here to stay.  I wonder if Patchlink realizes they can get more PR and goodwill be making the workaround available to all then by just giving to their own customers.  I have written about this on my blog and tracked back.  http://ashimmy.typepad.com Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.