RealTime IT News

Second Third-Party Windows Fix Appears

Yet more third-party fixes are out for a Windows flaw, which is not expected to be addressed until next week.

Two groups are offering unofficial patches as the software giant warns users.

"We are working on a security update currently scheduled for an Oct. 10 release," Microsoft said in a Thursday security advisory.

While the software maker said proof-of-concept code has been published on how to exploit the flaw, it was not aware of any customers attacked.

Asinternetnews.com reported last week, CERT issued a warning for users of Windows 2000, Windows XP and Windows Server 2003 that a flaw in the WebViewFolderIcon ActiveX control could pose a security risk.

The flaw could enable a hacker to run malicious code on an unpatched system.

The Zeroday Emergency Response Team (ZERT) issued a patch Friday enabling Windows users to protect their systems.

This isn't the first time ZERT has stepped in while Windows users awaited an official response from Microsoft.

ZERT issued a patch covering a recent vulnerability in the "vgx.dll" file, which is part of Windows' Vector Markup Language for graphics.

But ZERT was not alone in offering unofficial patches. On Friday, security vendor Determina announced a free patch to address what it viewed as a "critical" security problem.

In March, Determina was one of two security vendors offering a free third-party patch for exploits using a vulnerability in how IE handles the "createTextRange()" tag.

The year began with a Russian software developer offering a patch to solve a hole in Windows Metafile (WMF).

That unofficial fix, adopted by SANS and security firm F-Secure, prompted such demand; the software developer's Web site crashed under the load.

However, as security vendors such as McAfee and others point out, Microsoft must weigh the impact of a patch on its ocean of users, making the decision on whether to issue an out-of-cycle security bulletin not cut-and-dried.

The monthly patching sessions, known as "Patch Tuesdays," were developed to keep systems administrators "from running around like chickens with their heads cut off," Andrew Jaquith, security analyst with Yankee Group, told internetnews.com.

Despite the urge to increase the frequency of patches, Microsoft cannot afford to make any drastic changes to its patching schedule. The software giant spends between $75 million and $100 million each year on security, according to the analyst.

The most recent spate of third-party Windows patches "points to some frustration out there," Jaquith said.

While not willing to say if companies will compete with Microsoft to offer Windows patches, security firms are providing patches to users either for profit or simply as good public relations, he said.

ZERT is made of "really, really smart people," according to the analyst. The skills to reverse-engineer Windows code, either to fix or break software, is now available.

Jaquith said Microsoft needs to shake up the predictability of their patch schedule. "Patch Tuesday is being followed by Zero-day Wednesday. The bad guys are gaming the system," he said.

The FolderIcon exploit is just the latest example. Professionals are exploiting the flaw, according to security firm Websense.

"This is the same group that we discovered using the WMF exploit back in late December 2005," according to an alert on the company's Web site.

This most recent exploit "poses a significant risk," because victims are drawn to infected sites from search engines and e-mail spam, according to the company.

There are 600 active sites using the exploit, which can deposit Trojan horses able to steal user information, according to Websense.

"You've got to game the bad guys," Jaquith said. Chief among the tactics Microsoft should use: releasing some patches outside of the monthly schedule.

Should we expect to see more third-party patches for future security threats? Unofficial patching "is an established trend," the analyst said.