Open-source group issues Microsoft patch
But security experts urged Windows users to wait for an official fix
IDG News Service - An open-source software development group posted a file on its Web site this week that it claims will patch a recently disclosed security hole in Microsoft Corp.'s Internet Explorer Web browser that allows online scam artists to fake Web page addresses.
The decision by Openwares.org to publish the Internet Explorer patch is just the latest example of third parties preempting Microsoft with fixes for security holes in the company's products. But one security expert warned that installing the unauthorized patch could introduce more problems than it solves and advised Microsoft customers to wait for an official fix from the company.
The file, called IEpatch.exe, appeared on Monday on Openwares.org, an open-source and free-software development Web site. IDG News Service e-mailed requests seeking comment to representatives from Openwares.org, which is registered to an individual named Ori Rejwan in Tel Aviv, but they weren't immediately answered. Microsoft declined to comment today.
The patch is said to fix a vulnerability that surfaced Dec. 9 that allows attackers to use special characters in a URL to display a domain name of their choice in the Internet Explorer address and status bars.
The new security hole was first publicized in a message posted to online discussion groups that focus on computer security. A demonstration of the uses of the vulnerability was also provided by the message's author. It showed how a suspicious Web address such as http://firstname.lastname@example.org/security/ex01/vun2.htm could be displayed as www.microsoft.com in the Internet Explorer address field, making users think they were viewing Microsoft's Web site.
The vulnerability could be exploited by those who run "phishing" Web sites, which mimic legitimate sites to capture personal account information. With the new vulnerability, phishing site operators could also use the actual address to disguise their sites as part of their ruse, security experts warn.
The source code for the Internet Explorer patch was posted along with the patch, but no information was provided on how the patch fixes Internet Explorer or changes the program's configuration to prevent the URL spoofing vulnerability from being used.
In addition, a review of the patch by German online technology review publication "Heise Zeitschriften Verlag" claims that the patch is poorly written and contains its own buffer overflow vulnerability, which could enable an attacker to take control of the machine that installs it.
Internet Explorer users are better off waiting for Microsoft to issue an official patch for the URL problem than installing the Openwares.org fix, said Richard Smith, an independent security consultant in Boston.
While the vulnerability could make it possible for phishing sites to appear even more authentic, most victims of such sites are already fooled by Web page graphics and Web addresses that approximate those of the sites being spoofed, and they don't scrutinize the addresses, he said.
And the Openwares.org patch may not have been tested across a broad range of Windows machines, as Microsoft patches are, Smith warned. The decision by Openwares is another example of a third party stepping in to fix a problem when Microsoft is slow to do so, he said.
America Online Inc. took a similar step when it unilaterally disabled the Windows Messenger Service on its customers' machines in October. That service contained a critical security flaw and was being exploited by spammers to display pop-up advertisements on Windows desktops.
Security company PivX Solutions LLC also released a program recently, called Qwik-Fix, that disables Windows configuration settings and features that are not used but pose a security risk.
Microsoft has begun to take similar steps. The company announced a number of configuration changes in Windows XP Service Pack 2, including disabling Windows Messenger Service and turning on the built-in firewall that ships with Windows XP.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts