Researchers issue unofficial IE security patch

But Microsoft urges users to wait for official update.

The Zeroday Emergency Response Team (ZERT) has released an unofficial patch for a security vulnerability in Internet Explorer. 

Zert is an independent group of engineers that aims to issue updates for unpatched vulnerabilities that pose a serious risk to the public or the internet infrastructure.

The group believes that, in such cases, users should not have to wait until the vendor concerned issues a patch.

Zert was formed last December after the widely abused WMF vulnerability hit computers across the world. 

The group's first patch repairs a vulnerability in the Vector Markup Language component in Microsoft's browser that could allow an attacker to take control of a system without any user interaction. 

The flaw is actively being exploited through several adult websites hosted in Russia. Security website Secunia rated the flaw as 'extremely critical', its most severe rating. 

However, Microsoft told vnunet.com that it advises users not to apply the Zert patch. 

"While Microsoft can appreciate the steps these security researchers are taking to provide our customers with mitigations, as a best practice customers should obtain security updates and guidance from the original software vendor," said a spokesman.

"Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility.

"Microsoft cannot provide similar assurance for independent third-party security updates or mitigations."

Microsoft is currently testing a patch of its own. It is scheduled to be released on 10 October as part of the company's regular patch release cycle, although it might be released earlier if attacks exploiting the flaw become more widespread.

Security vendor Symantec recommended that users first try implementing a workaround that Microsoft has provided or use third-party security software that mitigates the risk. 

"If these are not an option for you, then as a last resort it is fair to consider a third-party patch," Oliver Friedrichs, director of Symantec Security Response, told vnunet.com. 

Friedrichs stressed that users and especially enterprises should first test the patch before applying it to any mission critical systems.

He added that he expects the Zert fix to be of high quality, as the group comprises reputable researchers and programmers.

"This is not just some off-the-cuff organisation trying to make a name for themselves. They really understand the problem. Other than Microsoft, they are the best positioned to do something like this," said Friedrichs.

The Zert patch is available for download from Zert website. The group plans to remove the download after Microsoft has released its update.

Copyright ©v3.co.uk