|
Beware!: IE fix mends flawed open-source patch |
|
|
By Munir Kotadia
n/a
December 22, 2003, 9:54 AM PT
A Web site that published a third-party patch to fix a security hole in Microsoft's Internet Explorer has had to reissue the patch, after the original was found to be flawed.
Openwares.org published the second patch Saturday, after the first was found to contain a buffer overflow exploit. This exploit, which allowed an attacker to take control of the patched PC, might have been far more damaging than the flaw the patch aimed to fix.
According to Openwares, only about 6,500 people downloaded the original patch. Security experts with whom ZDNet spoke last week warned people against installing it, saying that aside from trust issues, the patch author would not have had access to IE source code; the patch could interfere with future updates from Microsoft.
Representatives from Microsoft were not available for comment Monday.
The IE vulnerability, which was first reported in late November, allows a browser to display one URL in the address bar while the page that's being viewed is actually hosted elsewhere, making the user more susceptible to ruses like phishing. However, Openwares' first fix, which worked by filtering out any URLs containing suspicious characters, would work only with addresses that had less than 256 bytes. Larger addresses produced a buffer overflow.
Openwares' administrator said: The new version has been rewritten and tested by dozens of users who helped out. If you're unsure, look at the new source code for yourself.
By early morning Monday, there had been 2,500 downloads of the new patch. However, this is a minute fraction of IE users, who make up more than 90 percent of the Internet population.
Microsoft has still not released a fix for the IE problem or given any indication as to when one might be available. In October, the Redmond, Wash., software maker adopted a policy of releasing only one patch each month, but it has already announced that it will be skipping its December release; IE is expected to remain vulnerable until at least mid-January.
Earlier in December, weeks after the IE flaw was discovered, Iain Mulholland, a security program manager at Microsoft, said the company was putting heavy emphasis on increasing the quality of its patches and that the approach has had an effect on the timing of releases. It is not that we are not doing anything; it's just that we don't have a patch ready in the pipeline, he said. .............................
More at ZDNet
|
|
|
 |
| "Beware!: IE fix mends flawed open-source patch" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 4
Votes: 1
|
|
|
