Second third-party fix out for Windows bug

Group of security professionals produces a patch for a flaw in Windows Shell that is being used in cyberattacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
For the second time in as many weeks a group of security professionals has released a third-party fix for a Windows flaw that is actively being used in cyberattacks.

The group, calling itself the Zeroday Emergency Response Team, or ZERT, created the patch so Windows users can protect their PCs while Microsoft works on an official update. People have a choice of third-party fixes. Security company Determina on Friday released a patch it authored for the same flaw.

The flaw affects Windows 2000, Windows XP and Windows Server 2003, and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, Microsoft said in a security advisory issued Thursday. Windows Shell is the part of the operating system that presents the user interface.

Attackers have added the flaw to their arsenal, security experts said Saturday. Web sites that exploit the vulnerability are popping up and attempt to load malicious software onto vulnerable Windows PCs in a way that is undetectable to users, they said.

This is the second time in as many weeks that ZERT has beaten Microsoft to the punch in patching a flaw. A little over a week ago the group crafted a fix to plug a flaw in a Windows component called "vgx.dll." This component supports Vector Markup Language (VML) graphics in the operating system.

A word of caution is always warranted when it comes to third-party fixes, and Microsoft does not recommend using them. ZERT does test its fixes, but does not have the same resources Microsoft does when it produces patches, the group has said. ZERT does provide the source code of its fix, allowing people to validate what it does.

The Windows Shell flaw was found almost two months ago as part of HD Moore's "month of browser bugs." However, sample attack code became available only recently.

Microsoft plans to issue a fix for the problem on Oct. 10, its regularly scheduled patch day, it said last week. With attacks mounting, the company might be forced to issue its patch sooner. On Tuesday Microsoft rushed out a fix for the VML flaw, which was also being exploited in attacks and for which ZERT also released a patch.