Yet more
third-party fixes are out for a Windows flaw, which is not expected to be
addressed until next week.
Two groups are offering unofficial patches as the software giant warns users.
“We are working on a security update currently scheduled for an Oct. 10
release,” Microsoft said in a Thursday security
advisory.
While the software maker said proof-of-concept code has been
published on how to exploit the flaw, it was not aware of any customers
attacked.
Asinternetnews.com reported last week, CERT issued a warning for
users of Windows 2000, Windows XP and Windows Server 2003 that a flaw in
the WebViewFolderIcon ActiveX control could pose a security risk.
The flaw could enable a hacker to run malicious code on an unpatched system.
The Zeroday Emergency Response Team (ZERT) issued a patch Friday enabling Windows users to protect their systems.
This isn’t the first time ZERT has stepped in
while Windows users awaited an official response from Microsoft.
ZERT issued a patch covering a recent vulnerability in the “vgx.dll” file,
which is part of Windows’ Vector Markup Language for graphics.
But ZERT was not alone in offering unofficial patches. On Friday,
security vendor Determina announced a free patch to address what it viewed as a “critical” security problem.
In March,
Determina was one of two security vendors offering a free third-party
patch for exploits using a vulnerability in how IE handles the
“createTextRange()” tag.
The year began with a Russian software
developer offering a patch to solve a hole in Windows Metafile (WMF).
That unofficial fix, adopted by SANS and security firm F-Secure,
prompted such demand; the software developer’s Web site crashed under
the load.
However, as security vendors such as McAfee and others
point out, Microsoft must weigh the impact of a patch on its ocean of
users, making the decision on whether to issue an out-of-cycle security
bulletin not cut-and-dried.
The monthly patching sessions, known as “Patch Tuesdays,” were developed
to keep systems administrators “from running around like chickens with
their heads cut off,” Andrew Jaquith, security analyst with Yankee
Group, told internetnews.com.
Despite the urge to increase the frequency of patches, Microsoft cannot
afford to make any drastic changes to its patching schedule.
The software giant spends between $75 million and $100 million each year
on security, according to the analyst.
The most recent spate of third-party Windows patches “points to some
frustration out there,” Jaquith said.
While not willing to say if
companies will compete with Microsoft to offer Windows patches, security
firms are providing patches to users either for profit or simply as good
public relations, he said.
ZERT is made of “really, really smart people,” according to the analyst.
The skills to reverse-engineer Windows code, either to fix or break
software, is now available.
Jaquith said Microsoft needs to shake up the predictability of their
patch schedule. “Patch Tuesday is being followed by Zero-day Wednesday.
The bad guys are gaming the system,” he said.
The FolderIcon exploit is just the latest example. Professionals are
exploiting the flaw, according to security firm Websense.
“This is the same group that we discovered using the WMF exploit back in
late December 2005,” according to an alert on the company’s Web site.
This most recent exploit “poses a significant risk,” because victims are drawn to infected sites from search engines and e-mail spam, according to the company.
There are 600 active sites using the exploit, which can deposit Trojan horses able to steal user information, according to Websense.
“You’ve got to game the bad guys,” Jaquith said. Chief among the
tactics Microsoft should use: releasing some patches outside of the
monthly schedule.
Should we expect to see more third-party patches for future security
threats? Unofficial patching “is an established trend,” the analyst said.