Unofficial patch for VML vulnerability in Internet Explorer
Independent security specialists have developed and released a patch for the VML vulnerability in Internet Explorer. The patch, released by the Zero Day Emergency Response Team (ZERT), is intended to plug the vulnerability in Windows 2000 SP4, Windows XP SP1 and SP2 and Windows Server 2003 SP1 (and R2). According to ZERT, they are reacting to the inadequacy of Microsoft's update cycle. In the team's opinion, the intervals between updates are simply too long, particularly for critical vulnerabilities. "Crimeware gangs" have adapted to this cycle and produce exploits for unknown vulnerabilities just one day after Microsoft's patch day. This leaves users susceptible to these exploits for almost four weeks before the next patch day.
ZERT's members include Joe Stewart of SecureWorks, Halvar Flake of Sabre Security, Ilfak Guilfanov, author of IDA Pro and developer of the WML patch from earlier this year, Roger Thompson of Exploit Prevention Labs and Florian Weimer. Botnet specialist Gadi Evron provides operational management and Dan Hubbard, head of the research department at Websense is to provide technical support for zero day outbreaks.
In the past Microsoft has been less than impressed with the release of unofficial patches and has warned users against installing them. This is unlikely to change in this case. The patch is, according to Evron, tested, but this does not guarantee that it will work in every environment without any problems. Nevertheless, this is an option for avoiding having to wait until 10th October, when the official patch from Microsoft will be available.
To install the patch, a GUI version and a command line version are available. Both versions allow the patch to be subsequently removed. A quick test, by the heise Security editorial team, shows that this appears to work correctly. There is a demo webpage from ZERT to test whether Internet Explorer is vulnerable and whether the patch fixes this vulnerability. Certainly the patched browser no longer crashes when viewing the demo webpage.