Security pros provide interim IE patch

A group of security professionals has created a third-party fix for a recently discovered Internet Explorer flaw that's increasingly being used in cyberattacks.

The group, which calls itself the Zeroday Emergency Response Team, or ZERT, created the patch so IE users can protect themselves while Microsoft works on an official fix for the Web browser. The software maker has said it will release a security update for the issue on Oct. 10, its next Patch Tuesday.

"Certain members of the group feel that the risk associated with this vulnerability is so great that they can't wait for a patch. Some users might agree with that and apply this patch," ZERT spokesman Randy Abrams said Friday. Abrams is director of technical education at security company ESET and volunteers with ZERT.

The flaw lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message. Word of the vulnerability came earlier this week, when the weakness already was being exploited in cyberattacks.

"Attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of the rapid response team at VeriSign's iDefense. In many cases, the attacks install spyware, adware and remote control software on victims' PCs.

In at least one case, cybercriminals broke into a Web hosting company and redirected 500 Internet domains to point to a malicious site that exploits this latest flaw, Dunham said. "So you're just surfing the Web, and all of a sudden, you are redirected to a malicious Web site," he said.

Attacks that exploit the flaw via e-mail likely will surface soon, he added.

While Microsoft is aware of the attacks, it said it does not recommend using the third-party fix. "As a best practice, customers should obtain security updates and guidance from the original software vendor," a Microsoft representative said in a statement.

This is the third time this year somebody has beaten Microsoft to the punch with a security fix. In January, an outside patch was created for a vulnerability in the way Windows renders Windows Meta File images, and in March, two security companies issued patches for a bug related to how IE handled certain tags in Web pages.

ZERT is made up of security professionals from around the world who volunteer their time. The ZERT patch, available for Windows 2000, Windows XP and Windows Server 2003, was created in 19 hours, primarily by three experts: Joe Stewart of Lurhq, Israeli reverse-engineering specialist Gil Dabah, and vulnerability researcher Michael Hale Ligh, Abrams said.

Risk of third-party fixes
A word of caution is warranted when it comes to third-party fixes, ZERT noted. "There is a risk associated with a third-party patch because it hasn't gone through the extensive testing that Microsoft puts its patches through," Abrams said. ZERT does provide the source code of its fix, allowing people to validate what it does.

On its Web site, ZERT stresses that its fix has no warranties. "While ZERT tests these patches, they are not official patches with vendor support and are provided as-is with no guarantee as to fitness for your particular environment. Use them at your own risk or wait for a vendor-supported patch," the group stated. The ZERT fix will be removed from the group's site once Microsoft has issued its update, the group said.

ZERT's patch may work well for some individual users or smaller organizations, iDefense's Dunham said. "Most small businesses are agile, but for larger organizations, applying a patch is a bigger hassle. A third-party patch introduces a wide variety of concerns and cost measures, and those can't be ignored," he said.

In addition to compatibility problems, third-party fixes could introduce security vulnerabilities, Dunham said. Microsoft provides several workarounds that do not require the third-party patch on its Web site. Dunham recommends using a workaround, but also said he expects Microsoft to rush out its patch before Oct. 10.