Feeds

Unofficial IE patch saves humanity

Third party, fire and theft

Choosing a cloud hosting partner with confidence

Security researchers have released a patch designed to protect users against an outstanding Internet Explorer vulnerability in the absence of available security updates from Microsoft.

A new ad-hoc group of security pros, called the Zeroday Emergency Response Team (ZERT), has released an unofficial fix designed to address the Vector Markup Language (VML) component vulnerability in IE, the most serious of two unpatched IE vulnerabilities. It plans to release other security bug fixes in future.

Hackers are taking advantage of this VML security flaw in IE to infect users visiting pornographic websites. Opening maliciously constructed emails in Outlook is also a potential risk, especially as attacks targeting the vulnerability are growing in prevalence since their first appearance last week.

The security bug is unrelated to a (still unpatched) flaw in Microsoft's Direct Animation Path (daxctle.ocx) ActiveX control discovered earlier this month.

ZERT said users should replace its fix with Microsoft's patch once this becomes available. "It is always a good idea to wait for a vendor-supplied patch and apply it as soon as possible, but there will be times when an ad-hoc group such as ours can release a working patch before a vendor can release their solution," it said.

Separately, security management firm PatchLink released a more limited workaround designed to help its customers (and only its customers) protect their networks from the VML exploit.

PatchLink estimates the number of vulnerabilities in various applications released this year will reach 6,700, some of which will become the subject of exploit before vendors get around to releasing patches.

Because of the growing issue of unpatched (so called zero-day) exploits, IT administrators can expect to see more third party patches such as the VML patch released by the ZERT group. PatchLink advises to check the provenance of patches and carry out testing before applying fixes in case they cause more problems than they solve in a user's environment. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.