Feeds

Unofficial patches defend against further IE flaw

Take two

The essential guide to IT transformation

Two groups of security researchers have released unofficial patches designed to protect surfers against an outstanding Internet Explorer vulnerability in the absence of available security updates from Microsoft.

The Zeroday Emergency Response Team (ZERT), a new ad-hoc group of security pros that came to prominence with the release of an unofficial fix designed to address a Vector Markup Language (VML) component vulnerability in IE, released a patch designed to address a vulnerability in the browser's Active X controls last weekend.

Security consultancy Determina published a separate fix for the same security bug in the WebViewFolderIcon ActiveX component of IE. The security bug is unrelated to a (still unpatched) flaw in Microsoft's Direct Animation Path (daxctle.ocx) ActiveX control discovered last month.

Microsoft released an out of schedule patch to address the VML exploit, the subject of the majority of recent IE-based attacks, last week. The other security bugs in the browser remain open to attack.

The latest unofficial patches were released in response to the availability of exploit code targeting the WebViewFolderIcon IE vulnerability, which creates a means to inject hostile code even on fully patched Win XP systems.

Microsoft is working on a patch, currently scheduled for an October 10 release, as part of its regular Patch Tuesday update cycle. While conceding that a threat exists, Redmond reckons published exploits are mostly harmless.

"We are aware of websites attempting to use the reported vulnerability to install malware. Our investigation into these websites shows that, in most cases, attempts to install malicious software by exploiting this vulnerability fail," a security notice from Microsoft explains. ®

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.