dcsimg

Third-Party Patch for IE VML Flaw Just Start of Zero-Day Trend

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Email  

At least one blogger at Ars Technica is a little worried about the VML vulnerability patch released over the weekend by a group calling itself the Zeroday Emergency Response Team, or ZERT.

 

The third-party patch comes in advance of any fix from Microsoft, which has acknowledged the flaw in IE that opens the door to attackers via a graphics standard, but says an official patch may not be ready in time for the next Patch Tuesday.

 

The Ars Technica blogger gives a nod to many of the ZERT team members, including a Sabre Security exec and an IOS expert from Cisco. But he still wonders about using a patch that relies on code disassembly and not technical support from the original vendor (a hangup not shared by many commentors to this post).

 

In a separate report, The Register notes that security vendor PatchLink has released a more limited workaround for the VML flaw.

 

We'd also concur with The Register that more and more third parties will rush out fixes for zero-day attacks as the threats proliferate and Redmond continues to take its sweet time in responding. You can't count on user common sense to simply dodge bullets like this for a month or longer.

 

In a report Friday at internetnews.com, a security vendor warned that a VML-based e-mail attack -- which could launch without user action from the Outlook preview pane -- may soon hit.

NewsletterITBUSINESSEDGE DAILY NEWSLETTER

SUBSCRIBE TO OUR DAILY EDGE NEWSLETTERS