Jump to content

Non-Microsoft Patches Issued for IE Flaw

Guest thecableguy

Recommended Posts

Guest thecableguy

A couple of computer-security companies have separately released free patches to plug a critical security flaw in Microsoft's Internet Explorer browser that hacker groups have been exploiting to steal passwords from Windows users.

The third-party fixes from Aliso Viejo, Calif.-based eEye Digital Security and Determina of Redwood City, Calif., came after Microsoft said it did not plan to issue its own update until April 11, the next date in its regular monthly security-update cycle.

Meanwhile, security experts have identified at least 200 Web sites that are being used to install password-stealing malware on Windows PCs when users merely visit one of the sites with IE.

This scenario is shaping up in a familiar way. During the final days of 2005, hackers released code that could be used to break into Windows computers whose users visited certain Web sites or opened image files infected with the code. After thousands of Web sites began using the code to install spyware and other unwanted crud, independent security researcher Ilfak Guilfanov on Jan. 1 released a free patch to fix the problem.

Amid growing criticism for saying it would wait another nine days to issue its own update, Microsoft accelerated its patch process and pushed out a fix by Jan. 5.

Microsoft says its engineers worked through the weekend on a patch for the current flaw, and that the company may issue an update before April 11 "if warranted" and "as soon as it's ready" (that is, tested to Redmond's satisfaction that it does not break or interfere with other Windows components or third-party applications.)

I haven't spoken yet with anyone who has fully vetted either of these unofficial patches, so I can't really recommend that anyone install them at this time. Johannes Ullrich, chief research officer at the SANS Internet Storm Center, said SANS also can't vouch for either patch. But Ullrich said he's briefly examined the eEye fix and found that it should work, although he added that it's difficult to tell whether it will play nice with the final update issued by Microsoft.

My gut tells me Microsoft won't wait until April 11 to release its update, as we will likely see even more Web sites being hacked or created by attackers to host malicious code that leverages the IE flaw to install badware.

By Brian Krebs |  March 28, 2006; 10:03 AM ET 

Washington Post

Links to patches:



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...