September 30, 2006 10:32 AM PDT

Security pros patch older Windows versions

Related Stories

Another zero-day threat hits Windows

September 29, 2006

Microsoft rushes out 'critical' fix

September 26, 2006

Security pros provide interim IE patch

September 22, 2006

Beating Microsoft to the punch

January 4, 2006
A group of security professionals has released a patch to repair a serious flaw in older Windows versions for which Microsoft no longer provides security updates.

The group, which calls itself the Zeroday Emergency Response Team, or ZERT, created the patch so users of Windows versions that are no longer officially supported can protect their PCs against increasing attacks that utilize a recently disclosed Windows flaw.

The vulnerability, first reported last week, lies in a Windows component called "vgx.dll." This component supports Vector Markup Language (VML) graphics in the operating system. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable PC when the user clicks on a malicious link on a Web site or an e-mail message.

Microsoft rushed out a "critical" fix for Windows on Tuesday to address the problem, two weeks before its regularly scheduled patch day. Microsoft's updates are available for Windows 2000 with Service Pack 4, Windows XP with Service Pack 1 or later, Microsoft Windows XP Professional x64 Edition, and Windows Server 2003.

But Microsoft no longer provides updates for its older operating systems. ZERT sought to fill that void. "A ZERT patch has just been made available for unsupported system versions," the group said on its Web site. The patch has been tested on Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 and Windows 2000 with Service Pack 3, the group said.

ZERT is made up of security professionals from around the world who volunteer their time. Last week the group crafted a patch to plug the VML flaw ahead of Microsoft's fix, so IE users can protect themselves while Microsoft worked on an official patch.

Meanwhile, there are several other security vulnerabilities in Microsoft products waiting to be fixed. Some of these flaws are already being used in cyberattacks, though not as widespread as the VML flaw, according to security experts.

A word of caution is always warranted when it comes to third-party fixes, ZERT has noted. The group does test its fixes, but does not have the same resources Microsoft does when it produces patches. ZERT does provide the source code of its fix, allowing people to validate what it does.

ZERT stresses on its Web site that its fix has no warranties.

See more CNET content tagged:
Vector Markup Language, flaw, patch, fix, service pack


Join the conversation!
Add your comment
Oh, Great...
Oh, great they have to create another "service team"... *rolls eyes*.
Posted by IHeartCheese (1 comment )
Reply Link Flag
VMWare Player
Folks, if you've reached your saturation point, give a look at VMWare products, particulary noting the VMWare Browser Appliance.

I'd recommend, if you have 4 gigs to spare giving VMWare a spin--it's free.

What's my point?

Well, install VMWare Player (I'd recomment the VMWare Server) and download the Browser Appliance, which is I believe a vintage Ubuntu Linux, version 5.10 (very stable and easy to use) and use the Firefox browser for your internet sessions.

The virtue is that when configured to do so, all of your internet settings will reset back to the startup defaults when you shut down your guest O/S VM.

It's really very innovative of VMWare and a viable solution to the ongoing security issues.

Or, I'd suggest you install the pre-built SUSE Linux 10.1 vmx, and do same, a bit better as SUSE has AppArmor built in--a 'sandbox' around any app you configure.

Or, just download the ISO cds from burn 'em and either set up a dual-boot or let SUSE 'blow away' Windows entirely.

You won't regret it--trust me.

Been at it now for two years with SUSE, previously a RedHat devotee.

OK, later!! I see you! Bye. Blip. ;)
Posted by _dietrich (8 comments )
Link Flag
When Microsoft Drops the Ball!!!
A small hand full of security pros pick up the ball which Microsoft; with over ten-thousand employees; can't even do right?

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.