Scramble Against MS Threats Continues

Independent security developers, including the one that had a brief window of opportunity to patch Microsoft's VML flaw before Microsoft beat its own deadline, are now scrambling for their share of the spotlight in the wake of the re-emergence last week of an ActiveX control flaw.

Over the weekend, the Zero-Day Emergency Response Team -- which produced a third-party patch for the VML exploit -- released a program it's calling ZProtector, whose job is not to patch the operating system, ZERT says, but instead to track down the signatures of disobedient controls and disable them.

With the WebViewFolderIcon now having been identified as vulnerabile, ZProtector's list of control signatures has now been raised to one.

The group points to a program from a company, Determina, calling it a "patch" for the WebViewFolderIcon exploit. But rather than a patch, Determina describes its pre-existing VPS Desktop application as protection against identified controls, overwriting the disobedient portions once they've been loaded into memory, prior to their being executed.

Determina has released a free utility, called simply "The Shield" which, like ZProtector, disables the WebViewFolderIcon control specifically.

Both groups have been given a great deal of attention today, touted as having essentially beaten Microsoft again, this time to its October 10 deadline. Yet at the same time, pre-existing utilities including McAfee Intrushield have provided similar, if not identical, protection against this plus other ActiveX buffer overflow exploits since a string of them was first discovered by security researchers last June.

SecurityFocus considers both the Determina and ZERT utilities "unofficial fixes," whose viability has yet to be independently confirmed. A similar utility was published last Friday by SANS Internet Storm Center, which also thoroughly documented the techniques by which developers could develop a similar utility, relatively simply.