Third-Party Patch for IE VML Flaw Just Start of Zero-Day Trend

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

At least one blogger at Ars Technica is a little worried about the VML vulnerability patch released over the weekend by a group calling itself the Zeroday Emergency Response Team, or ZERT.


The third-party patch comes in advance of any fix from Microsoft, which has acknowledged the flaw in IE that opens the door to attackers via a graphics standard, but says an official patch may not be ready in time for the next Patch Tuesday.


The Ars Technica blogger gives a nod to many of the ZERT team members, including a Sabre Security exec and an IOS expert from Cisco. But he still wonders about using a patch that relies on code disassembly and not technical support from the original vendor (a hangup not shared by many commentors to this post).


In a separate report, The Register notes that security vendor PatchLink has released a more limited workaround for the VML flaw.


We'd also concur with The Register that more and more third parties will rush out fixes for zero-day attacks as the threats proliferate and Redmond continues to take its sweet time in responding. You can't count on user common sense to simply dodge bullets like this for a month or longer.


In a report Friday at internetnews.com, a security vendor warned that a VML-based e-mail attack -- which could launch without user action from the Outlook preview pane -- may soon hit.