This article originally appeared on SearchSecurity.com.
In just a few months, the appearance of third-party patches has gone from a novelty to an expected part of the vulnerability disclosure and remediation process. The trend continued to gain steam in the last few days as two organizations, security vendor Determina Inc., and the Zero-Day Emergency Response Team (ZERT), both published fixes for a new flaw in Internet Explorer that became public late last week.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The vulnerability is a buffer-overrun problem found in IE 6 running on Windows XP systems with Service Pack 2 installed, and attackers can use the hole to cause denial-of-service conditions and then run their own code on target machines. The publication of the new vulnerability came just days after Microsoft released a rare out-of-cycle patch for a separate problem in the Windows implementation of the Vector Markup Language on Sept. 26.
ZERT is a volunteer effort comprising a number of engineers and security experts who are not affiliated with vendors. The group has released two patches thus far, including the new one for the IE buffer overrun. Redwood City, Calif.-based
Microsoft, of Redmond, Wash., on its
The existence of non-vendor patches is not a new phenomenon, but it has gained momentum in the last year or so. During this time Microsoft's monthly patch cycle has taken firm hold, and the vendor has proven reluctant to release fixes outside of that cycle. As researchers continue to find and discuss new flaws, public pressure for out-of-cycle patches has increased.
ZERT, Determina and a handful of other security vendors, including eEye Digital Security Inc. and Patchlink Corp., have stepped in to fill that void. However, all of these organizations agree with Microsoft's stance that these fixes are not permanent replacements for official vendor patches.
"That's something our customers have asked us for, but [our patches] are not meant to be used instead of the Microsoft or vendor ones," said Pat Clawson, CEO of Patchlink, based in Scottsdale, Ariz. "We've only done it a couple of times, but if there's a need for it we'll put them out there."