Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Déjà Vu as Third Parties Ship IE Patches



 By: Ryan Naraine
2006-03-28
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Two well-respected security research companies release unofficial hotfixes to provide temporary protection for the code execution browser flaw, but Microsoft does not sanction the use of the patches.

Two well-respected Internet security companies have shipped unofficial patches for a critical flaw in Microsofts Internet Explorer browser a full two weeks before the software makers scheduled release of a comprehensive update.

With a wave of zero day attacks underway, eEye Digital Security and Determina offered separate hotfixes to provide temporary protection for IE users, but experts warn that the third-party patches carry a "buyer beware" tag.

As a general rule, Microsoft never recommends third-party updates because, without rigorous quality assurance testing, it is impossible to know what impact the unofficial fix might have on applications mandated in regulated industries or in-house applications.

Earlier this year, at the height of the WMF malware attacks, reverse-engineering guru Ilfak Guilfanov created a temporary patch that was recommended by experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure.

This time around, the SANS Storm Center is not recommending the temporary patch. In a diary entry, chief research officer Johannes Ullrich said the Microsoft-sanctioned workaround to turn off Active Scripting is sufficient to mitigate the risk from an attack.

Resource Library:

However, eEyes co-founder and chief hacking officer Marc Maiffret said some IE users may experience problems on legitimate Web sites that require Active Scripting. "Our patch is not meant to replace the one Microsoft will release. Its only temporary protection and were recommending it as a last-resort for people who need to have Active Scripting enabled," Maiffret said in an interview with eWEEK.

He said eEyes hotfix will automatically uninstall itself when Microsoft ships the official update.

"We got a lot of requests from customers and IE users asking for advice and when we saw that Microsoft wasnt planning to release a patch until April 11, we decided to do an in-memory patch of the affected code, much like Microsoft would do," he explained.

"[Our patch] fixes the specific vulnerability itself. Its not going to break any of the JavaScript functionality unless its a Web site thats being specifically malicious," Maiffret said. "You cant have people without protection for 16 more days when an attack is underway."

Alexander Sotirov, chief reverse engineer on the security research team at Determina, said his companys fix was released with full source code for all versions of IE 5.01 and IE6.

"The fix is a DLL that gets injected into all applications via the AppInit_DLLs registry key," Sotirov wrote in a message posted to security mailing lists. He said the DLL fixes the bug by patching a single byte in MSHTML.DLL when it is loaded in memory. "This change makes the createTextRange() function return an error code instead of returning 0. This exactly how the problem was fixed in the latest IE7 beta from March 20," Sotirov explained.

Is outsourcing e-mail security right for your organization? Ziff Davis Media eSeminars invites you to learn about the security and management challenges facing e-mail technology implementers and decision makers from Tumbleweed on March 28 at 2 p.m. ET.

eEyes Maiffret criticized Microsoft for downplaying the severity of the exploits, which has been described as "limited in scope."

"Its disappointing that Microsoft says the threat isnt big because its only been found on 200 URLs. Why are they thinking about these attacks like they think about network worms? The risk of the quiet, targeted attack is very, very high and this should be an emergency situation for Microsoft," said Maiffret, who regularly shares information on flaw discoveries with the software vendor.

"Thats the bigger point that people are missing. Its not about eEye or someone else releasing an unofficial patch. The bigger issue is that Microsoft isnt equipped with the ability to protect customers from zero-days. Why should customers sit around for weeks when attacks are underway?" Maiffret said.

A spokesperson for Microsoft described eEyes patch as a "third-party mitigation tool" that does not address the original vulnerability but instead appears to serve as an additional mitigation to block the attack vector that Web sites might use to implement an attack.

"While Microsoft can appreciate the steps eEye is taking to provide our mutual customers with mitigation from this vulnerability, as a general rule, customers should obtain security updates from the original software vendor," the spokesperson said.

He said Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsofts security updates are offered in 23 languages simultaneously for all affected versions of the software. "Microsoft cannot provide similar assurance for independent third-party security updates or mitigation tools."

The company said it is open to rolling out the cumulative IE fix as an "out-of-cycle" update if necessary.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Déjà Vu as Third Parties Ship IE Patches
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xmW(Yk&sq^!zMat3=ܕJmH3|y7*I~ˋI9`[RI*UJR Kp4ô1f%c |{ޤ~HΛ7omL#GgPSrD廚wW3]̱;o ;l$R޼;5[gc=ױ}ǣ.&$ftj6?ĵMK.my`MϳXc`B#lǦ,`U[[UxjsfqHf; wjeؘj% =q74BaHO LE&5sؖCY֌`F-S+4u뮡+(R\=P (Px0my-Ӟ=89nAwf_{Jrpٻ_H CK5$;ijI=t{ݳ>~l_\G A:W[YHL~#?jQXJi|h/ Z@ WP u/jzRҏjF-_ J6ԒRoIja>E4b‰XTX;bji_77^'77b٘X^B ZMUH jzb!=ޛ:W۳ۗKiGκ7s!)|rf!5 P\68sUﯭy\߃ _<$=N-rO=,jiTWbݓ6PE$Y-ir޿ =M%%TpܿV G)H,cU|`Ap 2XeMv@So\ш43@_0FD33fIߚ923< MH:ƜUņ]`)ex*}/`I2TE0{PYtBF4 (J""x^3tqA K>BzB7:knڧwݽu޷aYbyƺƻ EHY7-6I0QNmsQUb1xd ,e(oaG&-djˠqaeBݠ#mfw͂@M4iSM~RÜMCͶ_CGs4DAC6V^lѹh$ 47P}HOQI $3p|g0sJ}S@E%-DCs PIdg&S@yOA ΃dromM~(wEnPj>h^0 vhs.ppYY;0@Yqk3B7}hNAJkiiC1).Koe˕F }*@FH6'I#r*BcX"C@#'s [A;B/.VI-RaD8T*nOq$]8cgPT+es㙰RN飲XB ^X// ͙RRdZAU \9yDU#BU`B]ᛦBMam`DݘA,TԠIkB{42u0suy=AZ-,S T0E8Y)0A!&B~`Z&4D 7q9k準IyTXw! 3Ͱ&p_;+owzfr=*SMrfSHږiCUc77BgsݐC/2 W.Y 2cxRUfyRtœ*[3nR6}Uj<§"ǰA@3>`L)^\IIbЙj!@ xl\6ƖuV"k̲X]ۼ/ 7Je_[օV(VJ24@Pٖk ,:WtT0T:T emځbXG(JG.1~/aҵ(&|sŶf*r-md2UQkګY5wld xAqFFlHf >[ Ҋlxku8.`CϱKs='-`sclrgG ǏqpJa e@֨Pbb35.   _ǂ%K e*8t55{qqؿXZ®tՒүh泛vp6}&9QKe!6(#}ji!/V=@C~.T,ƨ'Q?{2,e(,@@rFe9وAٌs\mZ 4Y(p<}"}qVxxO |"=il% m"rIab L$ԫ5t`n`R@:h*ѫSKm[hA yh\>L*oұ@%УCizim~؇J9C!%PPo?EzTƆZ-+FXp~"0yϸoFM]Ch/Op }w/Li4[ߥORz7@gf-!ڜAשUXTex͘ ixT*I'D# w bY sazTfؘ/Y)n'?L!'IC8D"rLΨ|.A pe&~o}ٲITё1kD @nuE-mk:,`{Y0 >AC5"h#L`f0!) =mQJk8ԿCvλWԴ)R+b::>JЯ9צgkӥ ,ć;n#MUaSb/ EvP/56yF؛܇1"ር5TS;Nw T/VJ)XU!bW hĞfvoɲayͤp#o|=|b93@p釛L+ PKQl X@d̬[m#u2m8W~E50>yQU+^ Fb&*T~\{)3p3o]=e6e'^A ^CuIN:ƝcM/&"wl>K3ѺMkls Kq39S"nL|@-'A&'tE=8PB7Xl=["c3۽6,s0υ$*L3 ӪRQu@Z i2Ɂ㚺/k3OSy:fEe@TeH1m9 =EZЊw=]b>_I|SeȓV)+i-T\UEZPz,)b"**j>"wiЊµ7:QP#I?++~Je'Quzb*kZ$}V;{ZR1n=m0VVhW`Zd&\ %\{3iP(Q󹋗A f}R. )3a/t~eguS?֐G te[溋, }~l?<u!&9owޟ0^qwX\/0C~:W_IA`QSszGQ^ٷf K1R^]2~̦׭{醗a ]孀 wsٺy߹/vt/7^\tR1~Zz0W#ApBj]t_(d srn݄ 7b `[&I9D=+k쇤ڝa쐺C toN7XЯzӱB ZOUe | EUk:MwVF Z`!oH}Pi1,{B*q]_>E'2sE6V+*P+bK)"$DY |FN'ݛ' <"9WhEщ=~iV \ |~iў/`o e܃ɼ.WVr['v>>!+Tt㿜YN sze(n2t A\~liԎ(%T \ 'O6l->;8 cd9a(.p$-Zbe^fIlx8eƂL)dJHc%F =)!jII^O Eq ie*ʒ*~I'j'1ۡX#Ҟ֛]6G8 (O krsq^^ҹ|uXd<'x"6TtOy/ +(;8JnM<<ʠ6 GgaF|.şg%>㏆3L!]rE}CZW qW=F{*:kɸ7YM(fh~Z:pCҠcmfO ZACvslK9Orq&}x2HB%O6˶˷kFp7N /f_!σ!%JJMcm @|Ր۰ïh]1y`j}ZOpxqFԱQo*_2%;jߔş1g&o(#ߍn]KNW6o,)  \7?Pg=.B70S/7soK[G+J86[b4-^/t8a8?V#,i4%Vч&L?Ml~rK|\Csbbh1?\r\c.C G-)T<T_#<3˦.i򸘑xOzS@Vll+RL/3, %tn c8$7wO]8k0 y \䏾,?ʪ2|4>~'? Ei0YЋ렳1# ;RY!VdP#2Pq q;>) .kBh@+aZfj1zV[" 6J.+VLlk^i&B?%SREW I“JB-đ HyШzXF^%hԚ8q ɽb6N`[d)9<,apX9տzYݑ7ҫ+Ž 0񦽉I-#6ĚG &l] OwkF-BPb j' ["d8hv۲G[ؐ,^nxBZK0KEx19Gtt=!9Ex? +BXdien8hL[`~9SLj-G 3 ֌gM`9.   W&{bs`m{C x5SNQc LǛIH()~VP!f(A"D#!L܏]Gc~=Jk"jA{.n^V~CR{E3=R3&_x!e+BEſW1lɤ8YۯuƲ7Ikf.f.f.f.exyd6{)Ԗ'r=}vjzYA1!(,)axNJʟqdg';wd?1FS]~`a]IV< w^ǻhlauucÈ{ k!yG1O_(}eƵcD‹pCf|)xv#Ne&y[T&e! 5 v6-j@#jg׳f̦AX*^e֚hݬA@;0eI{;;Kb`9cgP<#G٭D@K+H).Wn/~9e\4rW䪤 Kj2z8rON73cvqo!yiPgU;A+6F1]Iujn7c`W0;:O>50,]{VԹKqRY*C,f#1}ԼD}hzZTcaֈ5aZ(& gSƚi<,~Sh"QR 9p1.jt1~~ycd >&;@wR_]FBأőAKee-+IZtǰMh]^4bdg(à'$Qle"0t<%fRow6,:F\A'"s`_W esެWqiEZ?s,NF!i3Ooq'8@@og/ 2ä۴5,Sզ6l1 ?D~ uM|yx%o啠?$.%>Ah#J;Ew;х {s:^A㻝ʐWT C>1Nƥr PS\(n^AwwF ?vkw-w |PU֌rc]0/ ovpM~_Ht^q/wbDB(lF] 8bogBuu~r,zDm8ѥHX8 Z䀲e̚4!-(!-DȮ naIzŝ@* $v9bNl@`bD&"lZO!/q/d1 Oqy%ǸPFPxIiL!1:MEfIi7H'ܪzB9؛Ip7R ? TjwH/h1 .oؑuUrrꁬU]ͅ> ur +{i|YAC &{z^{n?JE-TۚgIp\tT`;)er}K[RQ`m2Gk쓏|KAl9|q_6znteNw,"P! Į xob6$|@z-y:١; 9S v"m]%Iw+Twof|{Hq -gQ$g\\sj?H\aeI &ʹ{[)k 6g%ۅ]`aiL"&N&099l6}aNEz.M K __ CϪqQ{ZeQ!7TQ bUh5MFhdtkT~#:@)|1U<11t#PjNTL0Y=XCE3NZR>u%Hl~ChM,;s|U:l|%wҥfZ,E17MԤKB`(xÌpWkEG";{|Oh:hTJ5 `m{=~yLfROaLv_ _!ݰ,VI my7R[ $y"ZĮEH#Qչ WEo2!s ;3&>+>9<fK?=4u8 R;'6g<>asH ]W\A4ؙ![:, Yv g6rSͿ:ᘭ#+N1HS*ӛ۟ozʁRB7FDu*Dt02*%"&cP9 xE {>zY}`nOKZ&9a kE$7cCyΔ6"))0G#>CDۣx֭Ӗ xɂR[A}۹flU^(l+wxcFB |\5?ā!htM\"@HP|ӠР=?$~e KL)asSalfV b:>0<(S[]ĝ?]whS4&+ۤ!5> 0>Y K<ɚCfMQpVM 5߇3ɏKKlݜ(8&Sz1It!CK/HFzNsƒHIw'ˈ_`$Bc|EWo^)KR:PJ|+R0b8M{] Y-Eo HRqVнA3'92bg44\C!ݤ@%Ոo1C9ސ9iIqstq{Gm ZOUsNן:WU?wtfYpv>LU%VV/ vgI/P].LOQʩhQ{̥,<% E:wl"8n'z,;'0%lyіU1ű2 /NOoڽ8׆Cz,G>;eQȐ:o}jQx^;oAKe>6s5UoE a׾hI; Uj^*Q^m]9^d ?g f@Pj+# ݌tSi;#O֧~2>?@yg}z4w9Hu2ڇUF:{{ o3KeF/e|e~/?_f2>/>/3y*W!cF9g ~ 0W{s?W0~Wׅw3͐?]/ r qAP: MYC}}Yп[HJ͠[6[ Ku1Az+Z׸pzy=29H䎎3RyUKHϐgU3VG z2:Rz^}VF*话ir]!4bzQJW=k _yڞjVq뭥Mn@KG{2Ph +[ yH\*gل}@CXy#u/'eFW|TCoyq5n2-XѦ^5_9=U2̱hC"F-C*oND2KA1_uQ'?hĻ/LEٞ܃~n7}mv9 #p -Mv\ڎvڝ{f+23vhvdmoCdy\$O܁ϝfţu~2O */HQ5Z %CCs p7z1o󡕵jG܌Ӄ&X'n:Ok5Ai\.׭mўM%diYdiͩ)N(᰾a(xFZ gѥ8 a>4]' h!~5h]pܓa7薉>$MsgCZVrZV5ۑInx?GOs>=1HQ?$`rXT5t(RBT|[W)q84C-p艓<KHP5}o-B?FG&kMྈ1 +ͫYE5/2 {_A1C}fA)7ŕNq1z6d)K83` #Ԧլ~&\͠nC ؒFVUD-=: 1 tأ]$}`»YBD˸fƛ{ԑ}z<8>6%'x-7:\^&uHτ[ԦWiC.SaL,k 5Ь=_︂V'ֈjQ&o,B.:P&G{X`wȼ," DI;JCVas꺼)td+<8 ƾw (<3-c"?mtRy-LGgZv5V\ k,`la5vs ;ĢISgAL @qDz1h_z ,FjbFrl9U j'09]q$f~ -wDnCr'33$ؗJs~lY8=ۚ9t؆,u]3K~әhZHv[OulG@3 dd⁜0ҚsxCċ *|?e!Mt8͡mn(`| Ӽ9^4(NA")1D'E} _2%L\)L/ YF hWa1e;6KLPϰ3 MΡps"c!* x9ONa^|˼+AўYn0w6L5O#]ZDS`Wpۂ{i[eRpCV)tnO苰AVx3NEתs,^rEXջfq?a.*ZF$Wd0 # ߰·- sk29)>-ǝPSGŃ*B@dZU Z 14eo̓gkV"N#g- a5>gvE&z1aX0>c],R?lʢc9bp"0W`o>AsDeU$tCJBى[sR.)C395I }ɦNԌnB2cr =hL$cks3B//|A,rs*r_x7[NbŒ biy dEBt`p8w&ŕ>;?wޘ#{( ?i RW=(u`f˰n#/:0n3`ui\qD"- >5dYPmh.@7\@z !gkYpOoҙůRQ 1ao@I|j$f"͂KڲSeȁB1N%Va2>oϦC /A,_9ism/<.ڷ#l4!6cK /|7X$S oSDsI'Ta>y[tBg7iR7j:0ѕ~ZDY|n]Z#:xw2ׯ405M'wvĔw$nTQ兊&o;}mvs<^ /apC5iΠeWCY6S )}S:G7C5MĄ.`p#"cOcuD>+ڹ0#`ٹ"=.J}cvb+ a'!i@ڏ.LR pp&pJE }tq  'DPB0.$ജLc'8<O$>"*,ɷkLdg-Q'O #j-U-M77vvG#FS 0W[?!^]|J3FNԁ~F$V}<\/d9 лr.H8)\t>jڧM7$AJخxk. S*!&E*f˴Wˆ6K]oR0n}(I76Y0[CǙkXGė $7kQRr{B#_^pI(`̩]ËtD.E}yRf._"yRwon>6zs r<_/Z$#ب$Ugܨh‘OXap7INU mXZqc)IаΞkZe/:+?_>FNPǣkQc:z+־a02dcym'eX %Ke{P%_٣H?+ S^|6W,nVGhJ`5zVpKw%qQxp^}s%І=F~+Hr|[AVa6;6.){u'̣FeJܾdHv]v7GQ% o?DƆA^E{|qpֽKgŧCq^aXi*So۝'݋aJv |