Microsoft -- may go out of patch cycle for VML exploit

Scott Deacon at Microsoft Security response just posted a new blog entry. Microsoft may go out of cycle on the patch, they’re not seein many sties infected and they don’t recommend using the ZERT temporary patch.

I’ll quote relevant passages:

On breadth of attacks:

Attacks remain limited. There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either. Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability.

Patching out of cycle a possibility:

…around 24-48 hours ago we began to see we have the possibility of going out of band here and we will keep you posted as we go. The primary driver here is quality and protecting customers, not adherence to the monthly schedule.

On the ZERT patch:

That last bit is important because we were made aware this morning of a third party “update” for this issue. We think it’s great that there are people out there working to help protect our customers. But as we’ve always said, we cannot endorse third party updates. As a best practice, customers should obtain security updates and guidance from the original software vendor.

Link here.