Tuesday, December 23, 2003

News: IE fix mends flawed open-source patch:
"A Web site that published a third-party patch to fix a security hole in Microsoft's Internet Explorer has had to reissue the patch, after the original was found to be flawed.

Openwares.org published the second patch Saturday, after the first was found to contain a buffer overflow exploit. This exploit, which allowed an attacker to take control of the patched PC, might have been far more damaging than the flaw the patch aimed to fix."

The IE vulnerability, which was first reported in late November, allows a browser to display one URL in the address bar while the page that's being viewed is actually hosted elsewhere, making the user more susceptible to ruses like "phishing," in which spoof e-mails direct people to fake Web sites that seem to belong to legitimate companies. However, Openwares' first fix, which worked by filtering out any URLs containing suspicious characters, would work only with addresses that had less than 256 bytes. Larger addresses produced a buffer overflow.

Openwares' administrator said: "The new version has been rewritten and tested by dozens of users who helped out. If you're unsure, look at the new source code for yourself."

By early morning Monday, there had been 2,500 downloads of the new patch. However, this is a minute fraction of IE users, who make up more than 90 percent of the Internet population.

Microsoft has still not released a fix for the IE problem or given any indication as to when one might be available. In October, the Redmond, Wash., software maker adopted a policy of releasing only one patch each month, but it has already announced that it will be skipping its December release; IE is expected to remain vulnerable until at least mid-January.

Earlier in December, weeks after the IE flaw was discovered, Iain Mulholland, a security program manager at Microsoft, said the company was putting heavy emphasis on increasing the quality of its patches and that the approach has had an effect on the timing of releases.…

http://zdnet.com.com/2100-1105_2-5130708.html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)