Third-party patches appear for new Internet Explorer flaw

By Dennis Fisher, Executive Editor 02 Oct 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The vulnerability is a buffer-overrun problem found in IE 6 running on Windows XP systems with Service Pack 2 installed, and attackers can use the hole to cause denial-of-service conditions and then run their own code on target machines. The publication of the new vulnerability came just days after Microsoft released a rare out-of-cycle patch for a separate problem in the Windows implementation of the Vector Markup Language on Sept. 26.

ZERT is a volunteer effort comprising a number of engineers and security experts who are not affiliated with vendors. The group has released two patches thus far, including the new one for the IE buffer overrun. Redwood City, Calif.-based Determina, which sells a memory firewall and intrusion prevention solution, also released a free fix for the WMF flaw in Windows earlier this year.

Microsoft, of Redmond, Wash., on its Microsoft Security Response Center blog, said it is looking into reports of active exploitation of the vulnerability. This company said it plans to include a fix in its Oct. 10 "Patch Tuesday" release.

The existence of non-vendor patches is not a new phenomenon, but it has gained momentum in the last year or so. During this time Microsoft's monthly patch cycle has taken firm hold, and the vendor has proven reluctant to release fixes outside of that cycle. As researchers continue to find and discuss new flaws, public pressure for out-of-cycle patches has increased.

ZERT, Determina and a handful of other security vendors, including eEye Digital Security Inc. and Patchlink Corp., have stepped in to fill that void. However, all of these organizations agree with Microsoft's stance that these fixes are not permanent replacements for official vendor patches.

"That's something our customers have asked us for, but [our patches] are not meant to be used instead of the Microsoft or vendor ones," said Pat Clawson, CEO of Patchlink, based in Scottsdale, Ariz. "We've only done it a couple of times, but if there's a need for it we'll put them out there."

Tags: Security Patch Management,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Web Browser Security Adobe updates Flash Player, fixes seven serious vulnerabilities Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary