An independent group of security engineers has for the second time in a fortnight released an unofficial patch to tackle a security bug in Microsoft software.
The Zeroday Emergency Response Team (Zert), set up by a group of professionals to produce non-supplier patches as protection against zero-day exploits, has released a new patch for a vulnerability in the Microsoft Windows WebViewFolderIcon ActiveX control that could allow remote code execution by attackers.
The bug has not yet been patched by Microsoft, although the software giant said it was “aware of proof of concept code published publicly” but had not heard of any attacks exploiting the bug. Microsoft intends to patch for the vulnerability on 10 October as part of its regular monthly security update.
But the Zert team has released an update to its ZProtector to protect against the bug – less than two weeks after it anticipated Microsoft by issuing a fix for the critical Vector Markup Language bug.
Microsoft later issued its own patch for the Vector Markup Language flaw, in an unusual move outside its monthly patching cycle.
Security firm Determina has also issued a patch for the new ActiveX control vulnerability.
The Zert team has now withdrawn its original Zert2006-01 v1.0 patch, issued to tackle the Vector Markup Language bug, advising users to apply the official Microosft patch instead.
But it has released a v2.0 fix, aimed at users of older versions of Windows for which the software giant no longer provides security updates.