Second third-party fix out for Windows bug

For the second time in as many weeks a group of security professionals has released a third-party fix for a Windows flaw that is actively being used in cyberattacks.

The group, calling itself the Zeroday Emergency Response Team, or ZERT, created the patch so Windows users can protect their PCs while Microsoft works on an official update. People have a choice of third-party fixes. Security company Determina on Friday released a patch it authored for the same flaw.

The flaw affects Windows 2000, Windows XP and Windows Server 2003, and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, Microsoft said in a security advisory issued Thursday. Windows Shell is the part of the operating system that presents the user interface.

Attackers have added the flaw to their arsenal, security experts said Saturday. Web sites that exploit the vulnerability are popping up and attempt to load malicious software onto vulnerable Windows PCs in a way that is undetectable to users, they said.

This is the second time in as many weeks that ZERT has beaten Microsoft to the punch in patching a flaw. A little over a week ago the group crafted a fix to plug a flaw in a Windows component called "vgx.dll." This component supports Vector Markup Language (VML) graphics in the operating system.

A word of caution is always warranted when it comes to third-party fixes, and Microsoft does not recommend using them. ZERT does test its fixes, but does not have the same resources Microsoft does when it produces patches, the group has said. ZERT does provide the source code of its fix, allowing people to validate what it does.

The Windows Shell flaw was found almost two months ago as part of HD Moore's "month of browser bugs." However, sample attack code became available only recently.

Microsoft plans to issue a fix for the problem on Oct. 10, its regularly scheduled patch day, it said last week. With attacks mounting, the company might be forced to issue its patch sooner. On Tuesday Microsoft rushed out a fix for the VML flaw, which was also being exploited in attacks and for which ZERT also released a patch.

[ChazzMatt]

banker's hours

Problem is Microsoft wants to work banker's hours on these patches -- oh, once a month and only the ones we feel like working on, we'll get to yours eventually -- while the miscrants work 24/7.

Now, Microsoft is just about the richest software company in the world. Last time I heard they had $55 billion in cash parked in the bank. It's not like they can't afford more programmers!

[richto]

No its their customers that want this...

Microsoft release patches on a monthly schedule to meet the requirements of their enterprise customers. Microsoft also undertakes extensive compatibility and regression testing prior to release. Its not like Linux where some cowboy can mail out a patch in a few hours and hope that it works OK.

If an issue is being publically exploited then Microsoft release a patch faster. Very simple really.

Bear in mind that Microsoft are on average twice as fast at patching known security issues than Linux vendors...

[IonPwr]

What the admins wanted...

In reality, Microsoft's policy was created following the feedback of the IT people in major corporations who wanted a regular cycle of releases so that they will know when to expect things. This way they can test the supplied fix on their environment and then deploy it when they want and not when a users things they should deploy it.

Microsoft issues off-cycle updates as deemed necessary.

[john.breen]

Third-party fixes could cause more problems...

than they solve down the line. Imagine if numerous third-party fixes start making headlines and are used extensively. It wouldn't take long for fake orgs to pop up and start promising fixes when in fact they install spyware, etc.

Consider how many spyware "removal" programs there are out there and how many of them are actually legit. Register windowsrepairtools.com today and let the spamming begin.

Who will the uninformed home user trust? Unfortunately, everyone.

[slim-1]

Re: Third-party fixes could cause more problems...

"Who will the uninformed home user trust? Unfortunately, everyone."

Which is why part of any real solution is to require security training, testing and liscensing before a person can access the internet.

Part of this training should be an introduction to other OS options that are more secure such as Linux, Mac & BSD.

[icicle69]

This isn't a fix...

Did anyone look at the source code of this supposed "third party fix" before writing this article? It simply disables the affected activex controls (using the workaround steps provided in Microsoft's advisory).

I wouldn't consider this a "third party fix" that beat Microsoft to the punch, but mearly a helper utility that sets a few reg keys that Microsoft recommended disabling in the workaround section of the advisory.

Nice job digging up all the facts...

[Hoser McMoose]

The real question here...

"The Windows Shell flaw was found almost two months ago as part of HD Moore's "month of browser bugs." However, sample attack code became available only recently."

If the flaw is almost two months old it really should have been fixed in the LAST patch-Tuesday release. Besides, this sort of bug, as well as the "Zero-Day Wednesday" concept is quickly making Microsoft's idea of only releasing security fixes once a month seem like a rather poor decision. I understand the desire to keep the patches in groups released on a regular basis for the sake of enterprise IT departments, but they already had to backtrack on this once this month for the VML bug.

Perhaps they should move to having the patches available for download as soon as they are finished and tested but only move them to Automatic Updates once a month? Microsoft may also want to move to a bi-weekly patch cycle instead of their once-per-month schedule.

[singhrajender]

Blind with Hatred

I think you seem to be blind with hatred and not able to see the Lindy01's valid point..

[wbenton]

As much as I want to applaud them...

As much as I want to applaud these third party fixers... I just cannot bring myself to do it.

For the simple reason is that they're helping to keep the Windows community alive and Microsoft in business longer.

The sooner Microsoft goes out of business... the more secure the entire world will be!!!

No need in softening/slowing down Microsoft's demise!!!

It's their operating system... let them show the world how incompetent they are. If the community is unsafe due to Microsoft's lackluster patching methodology... then I say change to an operating system which patches better!

Microsoft has the bucks and the staff to fix the problems quicker... thus they don't need hand-outs from good will do'ers.

They might start to expect more of the same in the future and slack off on patching even more... and that's NOT a good trend to say the least.

Walt