Open-source group issues Microsoft patch
But security experts urged Windows users to wait for an official fix
IDG News Service - An open-source software development group posted a file on its Web site this week that it claims will patch a recently disclosed security hole in Microsoft Corp.'s Internet Explorer Web browser that allows online scam artists to fake Web page addresses.
The decision by Openwares.org to publish the Internet Explorer patch is just the latest example of third parties preempting Microsoft with fixes for security holes in the company's products. But one security expert warned that installing the unauthorized patch could introduce more problems than it solves and advised Microsoft customers to wait for an official fix from the company.
The file, called IEpatch.exe, appeared on Monday on Openwares.org, an open-source and free-software development Web site. IDG News Service e-mailed requests seeking comment to representatives from Openwares.org, which is registered to an individual named Ori Rejwan in Tel Aviv, but they weren't immediately answered. Microsoft declined to comment today.
The patch is said to fix a vulnerability that surfaced Dec. 9 that allows attackers to use special characters in a URL to display a domain name of their choice in the Internet Explorer address and status bars.
The new security hole was first publicized in a message posted to online discussion groups that focus on computer security. A demonstration of the uses of the vulnerability was also provided by the message's author. It showed how a suspicious Web address such as http://firstname.lastname@example.org/security/ex01/vun2.htm could be displayed as www.microsoft.com in the Internet Explorer address field, making users think they were viewing Microsoft's Web site.
The vulnerability could be exploited by those who run "phishing" Web sites, which mimic legitimate sites to capture personal account information. With the new vulnerability, phishing site operators could also use the actual address to disguise their sites as part of their ruse, security experts warn.
The source code for the Internet Explorer patch was posted along with the patch, but no information was provided on how the patch fixes Internet Explorer or changes the program's configuration to prevent the URL spoofing vulnerability from being used.
In addition, a review of the patch by German online technology review publication "Heise Zeitschriften Verlag" claims that the patch is poorly written and contains its own buffer overflow vulnerability, which could enable an attacker to take control of the machine that installs it.
Internet Explorer users are better off waiting for Microsoft to issue an official patch for the URL problem than installing the Openwares.org fix, said Richard Smith, an independent security consultant in Boston.
While the vulnerability could make it possible for phishing sites to appear even more authentic, most victims of such sites are already fooled by Web page graphics and Web addresses that approximate those of the sites being spoofed, and they don't scrutinize the addresses, he said.
And the Openwares.org patch may not have been tested across a broad range of Windows machines, as Microsoft patches are, Smith warned. The decision by Openwares is another example of a third party stepping in to fix a problem when Microsoft is slow to do so, he said.
America Online Inc. took a similar step when it unilaterally disabled the Windows Messenger Service on its customers' machines in October. That service contained a critical security flaw and was being exploited by spammers to display pop-up advertisements on Windows desktops.
Security company PivX Solutions LLC also released a program recently, called Qwik-Fix, that disables Windows configuration settings and features that are not used but pose a security risk.
Microsoft has begun to take similar steps. The company announced a number of configuration changes in Windows XP Service Pack 2, including disabling Windows Messenger Service and turning on the built-in firewall that ships with Windows XP.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts