25 September 2006
Third-Party Patch Released for IE VML Vulnerability
As a result of the very critical nature of the latest Internet Explorer vulnerability, a group called Zeroday Emergency Response Team (ZERT) has created and released a patch for IE.
The number of attacks has gotten so bad that at least once cybercriminals redirected 500 websites to point to a site that contains the exploit. People who were browsing sites that they normally go to could then be directed to this malicious site and be infected.
Microsoft has recommended that people not download patches from third parties and said that it was better if they got the updates from original software producers. I agree it is better, but waiting until October for patch Tuesday is a bit too long in the case of a something with this much danger.
ZERT as well addresses the issue of caution when dealing with third-party fixes because the patch doesn't go through the rigorous testing that Microsoft puts its patches through and therefor doesn't provide any guarantee that their patch works completely in every system. There is the possibility of compatibility issues with the patch or more vulnerabilities. ZERT has released the source code for the patch as well so people can see what it does before installing it.
Microsoft and ZERT both urge people to consider using the workarounds that Microsoft has released to protect their system from the exploit before installing the patch.
The official Microsoft workarounds can be found on this page after scrolling down to about the middle under the heading of Suggested Actions.
The number of attacks has gotten so bad that at least once cybercriminals redirected 500 websites to point to a site that contains the exploit. People who were browsing sites that they normally go to could then be directed to this malicious site and be infected.
Microsoft has recommended that people not download patches from third parties and said that it was better if they got the updates from original software producers. I agree it is better, but waiting until October for patch Tuesday is a bit too long in the case of a something with this much danger.
ZERT as well addresses the issue of caution when dealing with third-party fixes because the patch doesn't go through the rigorous testing that Microsoft puts its patches through and therefor doesn't provide any guarantee that their patch works completely in every system. There is the possibility of compatibility issues with the patch or more vulnerabilities. ZERT has released the source code for the patch as well so people can see what it does before installing it.
Microsoft and ZERT both urge people to consider using the workarounds that Microsoft has released to protect their system from the exploit before installing the patch.
The official Microsoft workarounds can be found on this page after scrolling down to about the middle under the heading of Suggested Actions.
Labels: IE, microsoft, patch, vulnerability
