ZERT, Dertermina beat Microsoft to the patch

Two organizations aren't waiting around for next week's Patch Tuesday security fix release.

The Zeroday Emergency Response Team (ZERT) and Determina have both released an unofficial fix for a zero-day flaw in Microsoft Windows WebViewFolderIcon ActiveX control.

Microsoft released an advisory for the flaw last week, just a few days after it had distributed a patch for a different hole in Internet Explorer (IE). Researchers also revealed an exploitable hole within Microsoft Office last week.

ZERT had released a fix for a flaw in IE's vector markup language that could be exploited by hackers for remote code execution attacks.

ZProtector does not need to be removed when Microsoft releases its own patch for the flaw, the company said in an advisory.

Determina, a Cambridge, Mass. intrusion prevention vendor, released its fix for the WebViewFolderIcon flaw late last week.

The patch should not interfere with an official Microsoft fix, according to a statement from Determina.

"Users remain vulnerable to these zero-day vulnerabilities until Microsoft releases a patch. Today's anti-virus and anti-spyware products are already known to be ineffective in preventing attackers from compromising systems using ‘drive by' and other techniques - the signatures simply cannot keep up with the large number of malware variants," said Sandy Wilbourn, vice president of engineering and customer support for Determina.

A Microsoft spokesperson urged PC users to use Microsoft's patch.

"While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor," the spokesperson said.

Click here to email Frank Washkuch Jr.

Sign up to our newsletters