NEW YORK: While it may take time for Microsoft Corporation to fix a bug in the Internet Explorer caused by a Vector Markup Language (VML) vulnerability, security researchers under a group called the Zeroday Emergency Response Team (ZERT) have come up with a patch that can counter possible attacks by hackers exploiting the vulnerability.
Microsoft is expected to come up with a patch 10 October, when it is expected to release its monthly batch of security updates, though it had said it will try to release one in the interim. But, researchers affiliated to ZERT feel the vulnerability is quite serious that it needs immediate attention and hence the patch.
The ZERT patch, released Friday, is unofficial and not a substitute for the official patch that will come from Microsoft, but it offers immediate protection to vulnerable systems. Microsoft has confirmed that the vulnerability is indeed capable of compromising Windows systems and exploits are happening. Sophos Labs has rated the exploit as "critical". The SANS Internet Storm Center has raised its alert level on the vulnerability from green to yellow, indicating that attacks are becoming more widespread.
Microsoft has suggested several interim workarounds to tackle the issue, and it does not recommend the ZERT patch.
Scott Deacon, Microsoft's security response center operations manager, said the company cannot endorse third party updates.
Security experts too warned the ZERT patch could cause new problems when installed as it has not been extensively tested.
ZERT said the patch addresses the buffer overflow vulnerability, but did not explain what it will do.
ZERT comprises volunteers including some well-known members of the security community with strong reverse-engineering skills. It came into being following discussions on e-mail lists set up a few years ago by security researcher Gadi Evron. One of its first actions has been an unofficial patch for Microsoft's WMF (Windows Metafile) vulnerability in late 2005, mainly written by Illfak Guilfanox. Several Windows users were forced to use third party patches to fix this vulnerability and Microsoft was forced to come out with an out-of-cycle patch to solve the problem.
