Third-party patches appear for new Internet Explorer flaw

Article

Third-party patches appear for new Internet Explorer flaw

Dennis Fisher, Executive Editor

This article originally appeared on SearchSecurity.com.

In just a few months, the appearance of third-party patches has gone from a novelty to an expected part of the vulnerability disclosure and remediation process. The trend continued

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchEnterpriseDesktop.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseDesktop.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

to gain steam in the last few days as two organizations, security vendor Determina Inc., and the Zero-Day Emergency Response Team (ZERT), both published fixes for a new flaw in Internet Explorer that became public late last week.

The vulnerability is a buffer-overrun problem found in IE 6 running on Windows XP systems with Service Pack 2 installed, and attackers can use the hole to cause denial-of-service conditions and then run their own code on target machines. The publication of the new vulnerability came just days after Microsoft released a rare out-of-cycle patch for a separate problem in the Windows implementation of the Vector Markup Language on Sept. 26.

ZERT is a volunteer effort comprising a number of engineers and security experts who are not affiliated with vendors. The group has released two patches thus far, including the new one for the IE buffer overrun. Redwood City, Calif.-based Determina, which sells a memory firewall and intrusion prevention solution, also released a free fix for the WMF flaw in Windows earlier this year.

Microsoft, of Redmond, Wash., on its Microsoft Security Response Center blog, said it is looking into reports of active exploitation of the vulnerability. This company said it plans to include a fix in its Oct. 10 "Patch Tuesday" release.

The existence of non-vendor patches is not a new phenomenon, but it has gained momentum in the last year or so. During this time Microsoft's monthly patch cycle has taken firm hold, and the vendor has proven reluctant to release fixes outside of that cycle. As researchers continue to find and discuss new flaws, public pressure for out-of-cycle patches has increased.

ZERT, Determina and a handful of other security vendors, including eEye Digital Security Inc. and Patchlink Corp., have stepped in to fill that void. However, all of these organizations agree with Microsoft's stance that these fixes are not permanent replacements for official vendor patches.

"That's something our customers have asked us for, but [our patches] are not meant to be used instead of the Microsoft or vendor ones," said Pat Clawson, CEO of Patchlink, based in Scottsdale, Ariz. "We've only done it a couple of times, but if there's a need for it we'll put them out there."