Solution From Outsiders for Microsoft’s Flaw
Microsoft has a VML (Vector Markup Language) flaw, which security firms
have rated as critical. Microsoft has set October 10, 2006 as the deadline
to patch the flaw. Meanwhile, a software engineering group called ZERT
(Zero-day Emergence Response Team) has issued a temporary patch to prevent
the trouble. E-Week has classified ZERT as a highly professional security
The temporary patch has raised doubts about the reliability of such
patches for Windows and its effect on other future patches from Microsoft.
ZERT believes the patch would fix the 'buffer overflow' but doesn't say
anything about its exact purpose. A ZERT member commented that Microsoft
needs to do something about its patching cycle. Members of ZERT team are
working together to release a non-vendor patch for '0day' (Zero-day)
vulnerability. The 'Zero-day' exploit imposes danger to the public or to
the Internet Infrastructure, or even both. As per ZERT's website, it aims
not to crack products but ward off security vulnerabilities by un-cracking
them, before they can be exploited widely.
A Microsoft spokesman said that his company is aware of third party
initiatives to patch vulnerabilities in Microsoft software. Microsoft
appreciates such initiatives of vendors and independent security
researchers to provide its customers with mitigations. However, according
to the Microsoft, customers should also gather security updates and advise
from the original software vendor. Microsoft reviews and tests its
security updates to maintain high quality and assess them thoroughly to
make them application compatible. But it cannot provide similar guarantee
for independent third party security updates.
The patch to VML loophole is the first patch released by the group. Time
will tell whether people welcome this initiative by ZERT or await
Microsoft to give the good news.
"We're just not seeing that from our data, and our Microsoft Security
Response Alliance partners aren't seeing that at all either. Of course,
that could change at any moment, and regardless of how many people are
being attacked, we have been working non-stop on an update to help protect
from this vulnerability.
Releasing patch to VML loophole is the first such attempt by ZERT. Whether
people welcome this initiative by ZERT or look forward to Microsoft to
come with the solution depend on time.
The spokesman said that they were just not eyeing that from their
database, and so were not "Microsoft Security Response Alliance" partners.
Naturally, that could change at any time. He added that Microsoft was
working continually on an update to facilitate protection from this
vulnerability irrespective of the number of people facing the attack.
» SPAMfighter News - 9/27/2006