A group of security professionals has created a third-party fix for a recently discovered Internet Explorer flaw that's increasingly being used in cyber attacks.
The group, which called itself the Zeroday Emergency Response Team, or ZERT, created the patch so IE users can protect themselves while Microsoft works on an official fix.
"Certain members of the group feel that the risk associated with this vulnerability is so great that they can't wait for a patch. Some users might agree with that and apply this patch," ZERT spokesman Randy Abrams said on Friday. Abrams is director of technical education at security company ESET and volunteers with ZERT.
The flaw lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message. Word of the vulnerability came early last week, when the weakness already was being exploited in cyber attacks.
Attacks had ramped up significantly late last week, according to Ken Dunham, director of the rapid response team at VeriSign's iDefense. In many cases, the attacks installed spyware, adware and remote control software on victims' PCs.
In at least one case, cyber criminals broke into a Web hosting company and redirected 500 Internet domains to point to a malicious site that exploited this latest flaw, Dunham said. "So you're just surfing the Web, and all of a sudden, you are redirected to a malicious Web site," he said.
Attacks that exploited the flaw via e-mail likely would surface soon, he added.
While Microsoft is aware of the attacks, it said it does not recommend using the third-party fix. "As a best practice, customers should obtain security updates and guidance from the original software vendor," a Microsoft representative said in a statement.
This is the third time this year somebody has beaten Microsoft to the punch with a security fix. In January, an outside patch was created for a vulnerability in the way Windows renders Windows Meta File images, and in March, two security companies issued patches for a bug related to how IE handled certain tags in Web pages.
ZERT is made up of security professionals from around the world who volunteer their time. The ZERT patch, available for Windows 2000, Windows XP and Windows Server 2003, was created in 19 hours, primarily by three experts: Joe Stewart of Lurhq, Israeli reverse-engineering specialist Gil Dabah, and vulnerability researcher Michael Hale Ligh, Abrams said.
Risk of third-party fixes
A word of caution was warranted when it came to third-party fixes, ZERT noted. "There is a risk associated with a third-party patch because it hasn't gone through the extensive testing that Microsoft puts its patches through," Abrams said. ZERT does provide the source code of its fix, allowing people to validate what it does.On its Web site, ZERT stressed that its fix had no warranties. "While ZERT tests these patches, they are not official patches with vendor support and are provided as-is with no guarantee as to fitness for your particular environment. Use them at your own risk or wait for a vendor-supported patch," the group stated. The ZERT fix would be removed from the group's site once Microsoft had issued its update, the group said.
ZERT's patch may work well for some individual users or smaller organizations, iDefense's Dunham said. "Most small businesses are agile, but for larger organizations, applying a patch is a bigger hassle. A third-party patch introduces a wide variety of concerns and cost measures, and those can't be ignored," he said.
In addition to compatibility problems, third-party fixes could introduce security vulnerabilities, Dunham said. Microsoft provided several workarounds that do not require the third-party patch on its Web site. Dunham recommended using a workaround, but also said he expected Microsoft to rush out its patch before Oct. 10.
