Second unofficial patch for vulnerability in Internet Explorer
Following the release of an unofficial patch for the VML vulnerability in Internet Explorer by the Zero Day Emergency Response Team, PatchLink has now released a further unofficial update - but only for its own customers. PatchLink is reacting to the increasing threat to IE users from infected websites. PatchLink is recommending non-customers to follow Microsoft's instructions and deactivate the vulnerable library. Numerous customer websites hosted by one web hosting service have already been [ticker:uk_78604 hacked] in order to lead visitors to prepared websites.
The size of the threat is not presently clear. Microsoft stated last Friday that it believed that there were few sites infecting users via the VML vulnerability. This was revealed by information exchanged with Microsoft Security Response Alliance partners. However, Websense claims to have observed an increase in the number of attacks. Forged Yahoo greetings cards, which lure users to prepared websites, are now being sent by e-mail. Similar greetings card attacks were carried out earlier this year to exploit the WMF vulnerability.
Microsoft is continuing to work at full steam to produce a patch. The Redmond company may release the update before the next patch day on 10th October, once tests have been completed.