ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Another third-party Windows fix released

Joris Evers CNET News.com

Published: 02 Oct 2006 09:10 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

For the second time in as many weeks a group of security professionals has released a third-party fix for a Windows flaw that is actively being used in cyberattacks.

The group, calling itself the Zeroday Emergency Response Team, or ZERT, created the patch so Windows users can protect their PCs while Microsoft works on an official update. People have a choice of third-party fixes. Security company Determina on Friday released a patch it authored for the same flaw.

The flaw affects Windows 2000, Windows XP and Windows Server 2003, and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, Microsoft said in a security advisory issued on Thursday. Windows Shell is the part of the operating system that presents the user interface.

Attackers have added the flaw to their arsenal, security experts said on Saturday. Web sites that exploit the vulnerability are popping up and attempt to load malicious software onto vulnerable Windows PCs in a way that is undetectable to users, they said.

This is the second time in as many weeks that ZERT has beaten Microsoft to the punch in patching a flaw. Little over a week ago the group crafted a fix to plug a flaw in a Windows component called "vgx.dll". This component supports Vector Markup Language (VML) graphics in the operating system.

A word of caution is always warranted when it comes to third-party fixes, and Microsoft does not recommend using them. ZERT does test its fixes, but does not have the same resources as Microsoft when it produces patches, the group has said. ZERT does provide the source code of its fix, allowing people to validate what it does.

The Windows Shell flaw was found almost two months ago as part of HD Moore's "month of browser bugs". However, sample attack code became available only recently.

Microsoft plans to issue a fix for the problem on 10 October, its regularly scheduled patch day, it said last week. With attacks mounting, the company might be forced to issue its patch sooner. On Tuesday Microsoft rushed out a fix for the VML flaw, which was also being exploited in attacks and for which ZERT also released a patch.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
180 out of 328 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Fix Protocol Analyst - Contract - London City / NY

Fix Protocol Analyst - Contract - London City / NY My client is seeking an experienced FIX protocol analyst to join their team on a contractual ...

VB6, SQL, Contract 6-Months, VB6, SQL, Contract - Hertfordshire

Responsibilities - Trace and identify application defects, provide fix estimates and implement fixes. Our Retail client in St Albans URGENTLY require ...

Java Connectivity Developer Equities Trading - Java, FIX

From a technical perspective good Java experience is required, knowledge of UNIX and FIX is strongly preferred. Java/UNIX/FIX/ SYBASE. A Junior level ...

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Sentry Posts Blog

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Google sponsors open source security p...

Google has announced it is to sponsor oCERT, an open source computer emergency response team. In a blog post on Monday, Google security engineer Will Drewry said that one of the... More

Post a comment

Indian officials accuse China of cyber...

China is actively engaged in mapping India's computer networks, according to the Times of India. China is mounting "almost daily" attacks against Indian Government computer systems,... More

Post a comment

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.

By: ator1940

Read full story:
RSA: Vendor liability may stifle innovation