Third party offers temporary IE fix
By
Joris Evers
Staff Writer, CNET News.com
Published: March
27, 2006, 6:35 PM PST
Last modified: March 27, 2006, 10:50 PM PST
eEye
Digital Security released a temporary fix on Monday for
Internet Explorer to combat attacks that exploit a recently
disclosed security hole in the browser.
The unofficial fix blocks
access to the vulnerable component in the Microsoft Web
browser, preventing malicious Web sites from taking
advantage of the vulnerability, said Steve Manzuik, security
product manager at eEye in Aliso Viejo, Calif. Microsoft
does not have a fix for the flaw available yet.
Though eEye's patch does
protect PCs against attacks that take advantage of the flaw,
the company recommends installing the fix only as a last
resort. "Organizations should only install this patch if
they are not able to disable Active Scripting as a means of
mitigation," Manzuik said. Disabling Active Scripting is
Microsoft's suggested work-around.
"This patch is not meant
to replace the forthcoming Microsoft patch, rather it is
intended as a temporary protection against this flaw,"
Manzuik said.
eEye,
which makes an intrusion-prevention product called Blink,
crafted the fix at the request of its customers, Manzuik
said. "Customers who don't have Blink deployed yet were
looking for a temporary solution," he said. However, eEye
has made the fix
available for anyone, on its Web site.
Microsoft doesn't
recommend installing eEye's fix. "We have not tested this
mitigation tool," said Stephen Toulouse, a program manager
in Microsoft's Security Response Center. "We can't recommend
it because we have not tested it...Customers should weigh
the risk of applying something like this to their systems."
The
vulnerability has to do with how Internet Explorer
handles the "createTextRange()" tag in Web pages. Since the
flaw was disclosed publicly last week, more than 200 Web
sites have been
found to exploit it. These sites typically install
spyware, remote control software and Trojan horses on
vulnerable PCs, according to security company Websense.
Microsoft has also seen
the attacks, but Toulouse said "the spread rate appears to
be relatively limited." That means there aren't many new
attacks being launched. Microsoft is working with law
enforcement to take down Web sites that are hosting the
attacks, which are often hacked sites, he said.
WMF
flashback
The situation with the createTextRange() bug is
reminiscent of another high-profile Windows flaw earlier
this year. That flaw was in the way the operating system
handled the Windows Meta File image format. A European
software developer
created a fix, which security experts in an
unprecedented move
even endorsed.
This time, however, the
third-party eEye fix isn't getting the same backing.
"I don't think we will
endorse this patch," said Johannes Ullrich, chief research
officer at the SANS Institute. "There is no source code
available, so we are not able to validate the patch."
eEye
originally said it would not make the source code available,
but late Monday the company
posted the source code on its site.
Also, experts including
Ullrich, don't see the threat level as equal because there
were no practical work-arounds for the Windows Meta File
flaw. "Unlike for WMF, there is a valid work-around here by
disabling active scripting...I am not sure if the current
situation warrants users to install such a patch."
Ken Dunham, director of
the rapid response team at iDefense, also would not
recommend the eEye fix. "Every time a company introduces new
software into their environment, there are risks involved,"
he said. "There may be compatibility issues, or it may even
introduce new security holes that didn't exist prior to the
patching."
Still, if the attacks
proliferate, some users may want to test eEye's patch to be
ready when there is a more widespread exploit, Ullrich said.
Meanwhile, Microsoft is working on an official fix, which it
might release outside of its monthly patch schedule. "The
update is still being tested," Toulouse said. "An
out-of-band release is still on the table." Microsoft's next
"Patch Tuesday" bundle of fixes is scheduled for release
April 11.
The last time Microsoft issued a fix early was two months
ago, for the WMF bug. That flaw was also being abused to
attack Windows users.
The eEye patch was developed to work on computers running
Windows with IE 5 or IE 6.
|