Third-party patches appear for new Internet Explorer flaw

By Dennis Fisher, Executive Editor 02 Oct 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

This article originally appeared on SearchSecurity.com.

In just a few months, the appearance of third-party patches has gone from a novelty to an expected part of the vulnerability disclosure and remediation process. The trend continued to gain steam in the last few days as two organizations, security vendor Determina Inc., and the Zero-Day Emergency Response Team (ZERT), both published fixes for a new flaw in Internet Explorer that became public late last week.

The vulnerability is a buffer-overrun problem found in IE 6 running on Windows XP systems with Service Pack 2 installed, and attackers can use the hole to cause denial-of-service conditions and then run their own code on target machines. The publication of the new vulnerability came just days after Microsoft released a rare out-of-cycle patch for a separate problem in the Windows implementation of the Vector Markup Language on Sept. 26.

ZERT is a volunteer effort comprising a number of engineers and security experts who are not affiliated with vendors. The group has released two patches thus far, including the new one for the IE buffer overrun. Redwood City, Calif.-based Determina, which sells a memory firewall and intrusion prevention solution, also released a free fix for the WMF flaw in Windows earlier this year.

Microsoft, of Redmond, Wash., on its Microsoft Security Response Center blog, said it is looking into reports of active exploitation of the vulnerability. This company said it plans to include a fix in its Oct. 10 "Patch Tuesday" release.

The existence of non-vendor patches is not a new phenomenon, but it has gained momentum in the last year or so. During this time Microsoft's monthly patch cycle has taken firm hold, and the vendor has proven reluctant to release fixes outside of that cycle. As researchers continue to find and discuss new flaws, public pressure for out-of-cycle patches has increased.

ZERT, Determina and a handful of other security vendors, including eEye Digital Security Inc. and Patchlink Corp., have stepped in to fill that void. However, all of these organizations agree with Microsoft's stance that these fixes are not permanent replacements for official vendor patches.

"That's something our customers have asked us for, but [our patches] are not meant to be used instead of the Microsoft or vendor ones," said Pat Clawson, CEO of Patchlink, based in Scottsdale, Ariz. "We've only done it a couple of times, but if there's a need for it we'll put them out there."

Tags: Microsoft Internet Explorer (IE),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Protection against international domain names, URL handling: Step 3 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Phishing filter: Step 2

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary