Skip the navigation

Open-source group issues Microsoft patch

But security experts urged Windows users to wait for an official fix

By Paul Roberts
December 19, 2003 12:00 PM ET

IDG News Service - An open-source software development group posted a file on its Web site this week that it claims will patch a recently disclosed security hole in Microsoft Corp.'s Internet Explorer Web browser that allows online scam artists to fake Web page addresses.
The decision by Openwares.org to publish the Internet Explorer patch is just the latest example of third parties preempting Microsoft with fixes for security holes in the company's products. But one security expert warned that installing the unauthorized patch could introduce more problems than it solves and advised Microsoft customers to wait for an official fix from the company.
The file, called IEpatch.exe, appeared on Monday on Openwares.org, an open-source and free-software development Web site. IDG News Service e-mailed requests seeking comment to representatives from Openwares.org, which is registered to an individual named Ori Rejwan in Tel Aviv, but they weren't immediately answered. Microsoft declined to comment today.
The patch is said to fix a vulnerability that surfaced Dec. 9 that allows attackers to use special characters in a URL to display a domain name of their choice in the Internet Explorer address and status bars.
The new security hole was first publicized in a message posted to online discussion groups that focus on computer security. A demonstration of the uses of the vulnerability was also provided by the message's author. It showed how a suspicious Web address such as http://www.microsoft.com@zapthedingbat.com/security/ex01/vun2.htm could be displayed as www.microsoft.com in the Internet Explorer address field, making users think they were viewing Microsoft's Web site.
The vulnerability could be exploited by those who run "phishing" Web sites, which mimic legitimate sites to capture personal account information. With the new vulnerability, phishing site operators could also use the actual address to disguise their sites as part of their ruse, security experts warn.
The source code for the Internet Explorer patch was posted along with the patch, but no information was provided on how the patch fixes Internet Explorer or changes the program's configuration to prevent the URL spoofing vulnerability from being used.
In addition, a review of the patch by German online technology review publication "Heise Zeitschriften Verlag" claims that the patch is poorly written and contains its own buffer overflow vulnerability, which could enable an attacker to take control of the machine that installs it.
Internet Explorer users are better off waiting for Microsoft to issue an official patch for the URL problem than installing the Openwares.org fix, said Richard Smith, an independent security consultant in Boston.
While the vulnerability could make it possible for phishing sites to appear even more authentic, most victims of such sites are already fooled by Web page graphics and Web addresses that approximate those of the sites being spoofed, and they don't scrutinize the addresses, he said.
And the Openwares.org patch may not have been tested across a broad range of Windows machines, as Microsoft patches are, Smith warned. The decision by Openwares is another example of a third party stepping in to fix a problem when Microsoft is slow to do so, he said.
America Online Inc. took a similar step when it unilaterally disabled the Windows Messenger Service on its customers' machines in October. That service contained a critical security flaw and was being exploited by spammers to display pop-up advertisements on Windows desktops.
Security company PivX Solutions LLC also released a program recently, called Qwik-Fix, that disables Windows configuration settings and features that are not used but pose a security risk.
Microsoft has begun to take similar steps. The company announced a number of configuration changes in Windows XP Service Pack 2, including disabling Windows Messenger Service and turning on the built-in firewall that ships with Windows XP.




Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies