IE flaw points to limits of monthly patch releases

Zero-day exploits such as those targeting an unpatched vulnerability in Microsoft Corp.'s Internet Explorer Web browser are exposing some of the limitations of the company's monthly patch release schedule, users and analysts said Tuesday.

Even so, it may be better in most cases for enterprises to wait for Microsoft's official updates rather than implement interim third-party patches, they said.

'There's going to be no third-party patches for us,' said Dave Jordan, chief information security officer for the Arlington County government in Virginia. 'These things have to be really tested before we can put them on our production servers. By the time I finish testing, Microsoft would have released its own patches, so why go through the same exercise twice?"

The sentiment comes amid continuing concern that a vulnerability in IE could soon be exploited by hackers looking to take complete administrative control of vulnerable systems. The flaw, which involves the way IE processes Web pages using the createTextRange() method, is currently being exploited by attackers on more than 200 malicious Web sites.

Microsoft itself has called the attacks "limited in scope' and said it will release a patch addressing the flaw with its scheduled monthly updates on April 11 -- or sooner, if warranted.

However, two security vendors, Redwood City, Calif.-based Determina Inc. and eEye Digital Security Inc. in Aliso Veijo, Calif., have already released interim fixes for the flaw for users unwilling to wait for Microsoft's official patches.