unofficial, third party, Flaw, IE, Fix, Patch, Update, Hole
eEye Digital Security released a temporary fix on Monday for Internet Explorer to combat attacks that exploit a recently disclosed security hole in the browser.
The unofficial fix blocks access to the vulnerable component in the Microsoft Web browser, preventing malicious Web sites from taking advantage of the vulnerability, said Steve Manzuik, security product manager at eEye. Microsoft does not have a fix for the flaw available yet.
Though eEye's patch does protect PCs against attacks that take advantage of the flaw, the company recommends installing the fix only as a last resort. "Organisations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," Manzuik said. Disabling Active Scripting is the the work-around suggested in Microsoft's advisory.
"This patch is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," Manzuik said.
eEye, which makes an intrusion-prevention product called Blink, crafted the fix at the request of its customers, Manzuik said. "Customers who don't have Blink deployed yet were looking for a temporary solution," he said. However, eEye has made the fix available for anyone, on its Web site.
Microsoft doesn't recommend installing eEye's fix. "We have not tested this mitigation tool," said Stephen Toulouse, a programme manager in Microsoft's Security Response Centre. "We can't recommend it because we have not tested it... Customers should weigh the risk of applying something like this to their systems."
The vulnerability has to do with how Internet Explorer handles the createTextRange() tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and other unwanted nasties on vulnerable PCs, according to security company Websense.
Microsoft has also seen the attacks, but Toulouse said "the spread rate appears to be relatively limited". That means there aren't many new attacks being launched. Microsoft is working with law enforcement to take down Web sites that are hosting the attacks, which are often hacked sites, he said.
WMF flashback
The situation with the createTextRange() bug is reminiscent of another high-profile Windows flaw earlier this year. That flaw was in the way the operating system handled WMF files. A European software developer created a fix, which security experts in an unprecedented move even endorsed.
This time, however, the third-party eEye fix isn't getting the same backing.
"I don't think we will endorse this patch," said Johannes Ullrich, chief research officer at the SANS Institute. "There is no source code available, so we are not able to validate the patch."
eEye originally said it would not make the source code available, but late Monday the company posted the source code on its site.
Also, experts including Ullrich, don't see the threat level as equal because there were no practical work-arounds for the Windows Meta File flaw. "Unlike for WMF, there is a valid work-around here by disabling active scripting... I am not sure if the current situation warrants users to install such a patch."
Ken Dunham, director of the rapid response team at iDefense, also would not recommend the eEye fix. "Every time a company introduces new software into their environment, there are risks involved," he said. "There may be compatibility issues, or it may even introduce new security holes that didn't exist prior to the patching."
Still, if the attacks proliferate, some users may want to test eEye's patch to be ready when there is a more widespread exploit, Ullrich said.
Meanwhile, Microsoft is working on an official fix, which it might release outside of its monthly patch schedule. "The update is still being tested," Toulouse said. "An out-of-band release is still on the table." Microsoft's next "Patch Tuesday" bundle of fixes is scheduled for release on 11 April.
The last time Microsoft issued a fix early was two months ago, for the WMF bug. That flaw was also being abused to attack Windows users.
The eEye patch was developed to work on computers running Windows with IE 5 or IE 6.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Buzz My Stat : New search for http://www.zdnet.co.uk Take a look: http://www.buzzmystat.com/site/zdnet.co.uk
4 hours ago on Twitter by BuzzMyStat
Hi Jamie, I'm sorry your comment got caught in the spam filter. We use an industry standard blacklist for this. I suspect that the comment may...
8 hours ago by Karen Friar on Spam? Filter Changed?
Pop - Neither have I. Ever, under any circumstances. I'm much more accustomed to Windows slowly, but inexorably, consuming more and more disk...
9 hours ago by J.A. Watson on Can you believe it - 2765 kB will be freed?
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
22 hours ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
1 day ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
1 day ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
1 day ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
1 day ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
1 day ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
2 days ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
2 days ago by roger andre on Microsoft lashing out at Linux, open source On further inspection, it looks like some things are missing, is it possible that there was a time lag between whatever state the site was in that...
2 days ago by J.A. Watson on Welcome to the new ZDNet UK community!
Ok. Now I'm getting annoyed. Previously I could just click on just about any item or comment I saw and get a reply box. How do I manage that...
2 days ago by Tezzer on ZDNet UK: faster, smarter, still IT all the way hey Roger. Think I have spotted a bug as when I click on my name it takes me to the same page as if I had clicked on "Edit Profile". i.e...
2 days ago by Andrew Donoghue on ZDNet UK - Now cleaner than an Archbishop's conscience
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
2 days ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
2 days ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
2 days ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
2 days ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
2 days ago by Bob Preece on Fluke Networks AirCheck Wi-Fi TesterFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
Most web sites cannot be used with active scripting disabled. Disabling active scripting means turning off the javascript feature which has been a part of web browsers since the 90s. All mainstream browsers now support javascript, and most large commercial sites (eg online banking, government and online retail) require its operation to use the site. So MS are recommending returning to the primitive days of basic html, and no javascript? Should they perhaps recommend as a temporary workaround switching to another browser, since this flaw is IE specific?
3 Apr 06 08:16 ReplyA decently secure browser would allow the user to start with all sites in a high security bucket - no scripting, no images, no downloads etc. Then when one of these features is required by a site, the browser lights up a button on the toolbar to selectively enable these features for this site - user only enables if they know the site. User has control, browsing is secure. (This idea is patented, licensing rights price on application - any browser manufacturer which actually uses this ideal scheme will be sued)