Third-party patches appear for new Internet Explorer flaw |
 |
By Dennis Fisher, Executive Editor
02 Oct 2006 | SearchSecurity.com |
|
|
This article originally appeared on SearchSecurity.com.
In just a few months, the appearance of third-party patches has gone from a novelty to an expected part of the vulnerability disclosure and remediation process. The trend continued to gain steam in the last few days as two organizations, security vendor Determina Inc., and the Zero-Day Emergency Response Team (ZERT), both published fixes for a new flaw in Internet Explorer that became public late last week.
The vulnerability is a buffer-overrun problem found in IE 6 running on Windows XP systems with Service Pack 2 installed, and attackers can use the hole to cause denial-of-service conditions and then run their own code on target machines. The publication of the new vulnerability came just days after Microsoft released a rare out-of-cycle patch for a separate problem in the Windows implementation of the Vector Markup Language on Sept. 26.
ZERT is a volunteer effort comprising a number of engineers and security experts who are not affiliated with vendors. The group has released two patches thus far, including the new one for the IE buffer overrun. Redwood City, Calif.-based Determina, which sells a memory firewall and intrusion prevention solution, also released a free fix for the WMF flaw in Windows earlier this year.
Microsoft, of Redmond, Wash., on its Microsoft Security Response Center blog, said it is looking into reports of active exploitation of the vulnerability. This company said it plans to include a fix in its Oct. 10 "Patch Tuesday" release.
The existence of non-vendor patches is not a new phenomenon, but it has gained momentum in the last year or so. During this time Microsoft's monthly patch cycle has taken firm hold, and the vendor has proven reluctant to release fixes outside of that cycle. As researchers continue to find and discuss new flaws, public pressure for out-of-cycle patches has increased.
ZERT, Determina and a handful of other security vendors, including eEye Digital Security Inc. and Patchlink Corp., have stepped in to fill that void. However, all of these organizations agree with Microsoft's stance that these fixes are not permanent replacements for official vendor patches.
"That's something our customers have asked us for, but [our patches] are not meant to be used instead of the Microsoft or vendor ones," said Pat Clawson, CEO of Patchlink, based in Scottsdale, Ariz. "We've only done it a couple of times, but if there's a need for it we'll put them out there."
|
|
|
|
