unofficial, Patch, Update, exploit, Buffer overflow, Bug, Security
Another company has released a third-party patch for a serious flaw in Internet Explorer, as experts warn users to be cautious with non-Microsoft fixes.
Determina, which makes intrusion-prevention products, made an unofficial fix for the Microsoft Web browser available on Monday. The release came shortly after eEye Digital Security issued its own temporary patch.
Both fixes are meant to protect Windows PCs against cyberattacks that exploit a recently disclosed IE vulnerability Microsoft has yet to provide an update for. The software maker has not endorsed either fix, saying that as a rule it doesn't recommend installing outside patches.
This is the second time this year that somebody has beaten Microsoft to the punch with a security fix. Last time, security experts supported a patch issued by a European researcher. This time, they are not recommending people apply the unofficial fixes.
Instead, people should follow Microsoft's advice and disable the Active Scripting feature in IE, or simply use a different Web browser, experts said.
"At this point, we do not recommend applying these temporary patches," said Johannes Ullrich, the chief research officer at the SANS Institute. Only those people who need to use Active Scripting in IE should consider adopting an unofficial solution, he said.
The vulnerability has to do with how Internet Explorer handles the createTextRange() tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and other nasties on vulnerable PCs, according to security company Websense.
Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany, said the security issue with IE is significant, but agreed that a third-party fix is not needed. "I would not apply this patch personally," he said. "As long as you're not using IE, you're safe. If you do use it, you should deactivate Active Scripting."
Active Scripting, also known as ActiveX Scripting, is used to deliver "feature-rich" Web sites that can run small applications. Disabling the component in IE can have an impact on how well Web sites function in the browser.
Heeding the expert advice, Susan Bradley, a network administrator at an accountancy firm in Fresno, California, said she is not deploying any unofficial patch. "When any of these third-party patches are considered, one needs to think about supportability. It potentially puts me outside of support," she said.
The eEye and Determina patches block access to the vulnerable component in IE 5 and 6, the most-used versions, to try to prevent malicious Web sites from taking advantage of the flaw. Both Determina, based in and eEye sell intrusion-prevention products.
Microsoft has said it is working on a fix for the browser. That update is currently slated for delivery on April 11, Microsoft's regular monthly patch day. However, the company has said it is considering an earlier release.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
please please please please please please kill that spam bot.
11 minutes ago by dava4444 on ZDNet UK: faster, smarter, still IT all the way it didn't post the link it's 'Ubuntu 10.04 Lucid Lynx Beta-1 First Look' on youtube :) Dava
3 hours ago by dava4444 on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest Hi James I disagree, Ubuntu needs a GUI update and this one IMO is quite good. your pics show a low res. here's a high res. on YouTube* The...
3 hours ago by dava4444 on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest Hi any news on the comment bot? knocking me back from my own blog is a bit cheeky lol *Mulder to Scully* "I think it has an agenda.." I know, I...
4 hours ago by dava4444 on ZDNet UK: faster, smarter, still IT all the way
if you look at the Brentwood exchange on samknows it servers 21,000 residential propertiesm, Lowestoft serves 31,000! Come on BT sort yourselves...
5 hours ago by benny boy on BT fibre broadband coming to 69 more towns
[programming] H.264 - a sting in the tail http://reddit.com/bfu4q [zdnet.co.uk]
6 hours ago on Twitter by pbreddit
H.264 - a sting in the tail [programming] 13 points, submitted by zigzag [zdnet.co.uk] http://reddit.com/bfu4q
7 hours ago on Twitter by reddit
Malware infects second Vodafone HTC phone: [zdnet.co.uk] A second Android-based HTC Magic from Vodafone has been... http://dlvr.it/KhKx
9 hours ago on Twitter by cybfor
Chatter preview http://www.zdnet.co.uk/news/application-development/2010/03/17/salesforce-opens-up-chatter-developer-preview-40088348/
9 hours ago on Twitter by miyabi81 US gov t considers undercover social networking: [zdnet.co.uk] The Obama administration has considered sending... http://dlvr.it/Kh3L
9 hours ago on Twitter by cybfor Please give me chance in the vodafone essar Ltd as back office executive
11 hours ago by sudipta_vodafone on Vodafone culls 375 'mainly back-office' jobs I want to get a back office job in vodafone direct payroll
11 hours ago by sudipta_vodafone on Vodafone culls 375 'mainly back-office' jobs
I also find it harder to use. It used to scale properly in Firefox. Text would size up and down without dragging all the right edge debris with it....
15 hours ago by Xwindowsjunkie on ZDNet UK: faster, smarter, still IT all the way that comment bot is a nutter, it just referred me to the moderator on my own blog. shocked look. please help thank you Dava I'm afriad to...
18 hours ago by dava4444 on Welcome to the new ZDNet UK community! Hi Rupert! Don't think I could fill the above shoes... but if your ever looking for a consumer rights Tech blogger..tip me the wink lol peace Dava
20 hours ago by dava4444 on Fancy working for ZDNet UK? Hi Rupert My photo is gone from my profile and I just got told i was a spammer by the comment bot. the navigation is gone for my profile. :O on...
20 hours ago by dava4444 on Welcome to the new ZDNet UK community!
With windows it is always more bloat, and a lot of that seems to be duplicated in various places. I've noticed that you will have freed space on...
1 day ago by ator1940 on Can you believe it - 2765 kB will be freed?
Buzz My Stat : New search for http://www.zdnet.co.uk Take a look: http://www.buzzmystat.com/site/zdnet.co.uk
1 day ago on Twitter by BuzzMyStatFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
