A group of security professionals has issued a patch for the Vector Markup Language (VLM) vulnerability that works for unsupported versions of Microsoft Windows, from Windows 98 to Windows 2000, SP3.
The vulnerability was first reported last week and lies in a Windows component called “vgx.dll” which can be used to load malicious software, without the user’s knowledge, onto a vulnerable PC when the user clicks on a malicious link on a Web site or an e-mail message.
Although Microsoft provided a fix to address the problem two weeks before its regularly scheduled patch day, the patch only updates Windows 2000, SP4, Windows XP and Windows Server 2003, the older operating systems for which Microsoft no longer provides support were left unpatched and thus vulnerable.
In response to that, a group of security professionals calling themselves ZERT (Zeroday Emergency Response Team) have addressed the forgotten users of Microsoft’s older versions of Windows and have issued a patch to fix the vulnerability for these operating systems.
“ZERT is a group of engineers with extensive experience in reverse engineering software, firmware and hardware coupled with liaisons from industry, community and incident response groups. While ZERT works with several Internet security operations and has liaisons to anti-virus and network operations communities, ZERT is not affiliated with a particular vendor,” the group’s Web site says. “ZERT members work together as a team to release a non-vendor patch when a so-called “0day” (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both. The purpose of ZERT is not to “crack” products, but rather to “uncrack” them by averting security vulnerabilities in them before they can be widely exploited,” the Web site further explains.
The patch offered by ZERT comes with no warranty and the group warns that although it performs extensive testing of patches before releasing them, they are not official patches with vendor support and are provided as-is.
Recently, ZERT has also issued another patch for a vulnerability in the Windows Shell, which affects Windows 2000, Windows XP and Windows 2003 Server and which could allow remote code execution on the user’s computer.