Zero-Day Team Launches with Emergency IE Patch

Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."

Who didn't see this coming

[George+Beech]

I mean really, it just seems logical if they are only going to patch once a month, then the bad guys will go after every hole that wasn't patched the day after updates are released.

I'm just amazed that it took this long for it to become big news that this kind of thing is going on.

Suprised

[joshetc]

Honestly I'm suprised it took this long for something like this to happen. You patch once a month on a specific day.. obviously they are going to time their attacks for when they will inflict the most damage.

Alternative: Unregister vgx.dll

[Noksagt]

The latest Security Now! episode had information on this exploit. Those who have policies in which they can't install third party patches do have an alternative:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

When MS comes out with a patch,

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

will re-register it.

Why must the internet be neutropenic?

[Control+Group]

This is neat. Kudos to these guys, and I'm glad they're doing what they're doing.

But it isn't a long-term solution; it still depends on human-speed recognition of the exploit and development of a patch.

What we need is the spread of viruses/worms/trojans whose payload is the removal of malware. Internet antibodies, as it were. The ultimate goal ought to be an antibody - or, to coin a term, an ant.iBody (ant.eBody?) - software that heuristically determines what is malware and what is legitimate software, preventing the former while allowing the latter and propagates itself across the network.

Of course, deploying something like that would break all sorts of computer security laws...but it's not like that stops anything else.

The Church of Microsoft

[erroneus]

I think they should have been a LOT more religious about writing secure code back when they claimed to be focusing on security and such. I haven't noticed any slowdown in the frequency on new exploits and no real increase in the delivery of patches. But if they haven't found religion in writing secure code, I think it's about time they did.

Re:An even simpler solution

[ericlondaits]

IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down.

Worst part is, the sites I had problems with so far while using Firefox were all based on Flash. It seems that IE and FF handle screen coordinates differently... so cursors, pull down menus and buttons implemented in Flash might not work OK in FF depending on implementation. This has nothing to do with poor CSS or DHTML implementations.

Re:An even simpler solution

[nithinsujir]

"But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down." I disagree. It just means their BANKING site doesn't pay much importance to security and so it isn't worth it in the long run.

Re:An even simpler solution

[jd142]

Easy, shove a .reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.

GPO. Then they can't bypass it because the setting will be re-applied.

Also, you can edit one of firefox files that's just plain text to hide those menu settings. It's been awhile since I've done it, but if you do a search for firefox and kiosk you should find the instructions.

Re:Is the industry gullible?

Why the hell did someone come up with the concept of "patch Tuesday" in the first place?

Mainly because IT departments were getting hammered with patches day after day. By default, we ended up scheduling patches for end-of-month or whenever because installing patches on Microsoft's schedule is just unworkable. Is "Patch Tuesday" better? It's useful mainly for the run-of-the-mill fixes and such. When a critical patch is needed there should be a fix or workaround posted in a day or so (like in the Open Source world) with the understanding that the patch is untested.

Re:An even simpler solution

[pixelpusher220]

and the second point:

Firefox plug-in IE View

Description: Lets you load pages in IE with a single right-click, or mark certain sites to *always* load in IE. Useful for incompatible pages, or cross-browser testing.

I like the idea that you can tell users, if it doesn't seem to look right, try this...and then have them default the few non-compatible sites to use IE. Trains them that IE is 'different' and Firefox is more standard.

Re:One word: AdBlock.

The only problem is that in many cases it's not quite practical to throw away IE completely; there are too many online banks and other systems which count on it's braindead idiosyncrasies.

I use several financial institutions for my banking, and there is not a single one that's still incompatible with the latest Firefox. If I found they supported Firefox any less than IE, I'd leave them in an instant, and I'd tell them why.

A few years ago, some were slow catching on, so I switched banks. I also moved the accounts of my business, and several clients away from institutions that don't support other than IE. Since then, every one of those banks have seen the light.

Change banks. Change brokers. TELL THEM WHY YOU'RE CHANGING. If your account size warrants it, speak to someone higher than just peon level. I spoke directly to Vice-Presidents of three banks. Nothing changes their minds as quickly as their accounts leaving for the competition over something their IT department didn't bother to fix. You've got to sell it in a language they understand.

The only group you won't find willing to support Firefox is media companies, since they want to lock down the system as much as possible, and supporting more than one platform decreases their ability to do so.

I only feel a little bit guilty that I caused some very big headaches in the IT departments of banks... One VP was absolutely FURIOUS that his IT department was willing to give away 10% or more of their potential online business in order to code their pretty little menu screens a little bit faster. (As well he should have been.)