IE Patch Still Elusive | eWeek

IE Patch Still Elusive

Écrit par
eWEEK EDITORS
eWEEK EDITORS
Jan 15, 2004
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

On a Microsoft security Webcast held Wednesday, participants were more interested in the whereabouts of a patch for a known Internet Explorer spoofing vulnerability than they were in the three new security bulletins that Microsoft released on Tuesday.

During the Webcast, Jeff Jones, senior director of Microsofts Trustworthy Computing initiative, told participants that Microsoft has been working on the IE patch since before Christmas, and it is done. But the testing is not completed for all the various versions of IE for different platforms and in all of the languages supported by Microsoft, he said.

By Microsoft Longhorn evangelist Robert Scobles count, there are more than 400 different IE iterations that need testing.

Once that happens, even if its sooner than Microsofts next slated security-bulletin release slated for Feb. 10, Microsoft will roll out the IE patch separately, Jones said.

A patch could come none too soon. Security experts say that they have seen a spike in phishing attacks after a December security bulletin revealed the IE spoofing exploit.

Phishing attacks involve the use of e-mails that often appear to come from a legitimate e-mail address and usually include links to spoofed Web addresses. The vulnerability in IE allows attackers to use fake Web addresses in IEs address box to obscure the real URL.

/zimages/4/28571.gifSecurity Center Editor Larry Seltzer took a close look at phishing techniques recently.Click hereto read more on the subject.

“When [the vulnerability] was first announced we started to see phishing attacks out in the first three to four days that exploited the vulnerability in IE,” said Dan Maier, the director of marketing for the Anti-Phishing Working Group and a senior product marketing manager at Tumbleweed Communications Corp.

Jones told Webcast attendees that even though Microsoft has yet to issue the IE spoofing patch, it has done a lot of outreach to warn customers about the vulnerability. He said Microsoft posted warnings on its Web site, explaining how to avoid becoming a victim of the spoof.

“I dont read this as them not being serious about security but as them being serious about security and wanting to make sure the fix is appropriate and works for everyone,” Maier said of Microsoft.

While it is important for Microsoft to issue a fix, Maier said, a security patch alone wont solve the problem. A majority of consumers are unlikely to immediately update their versions of IE with the patch, leaving them open to spoofing.

In addition, scammers are using other techniques that already skirt the IE spoofing vulnerability, such as obtaining domain names that are similar to a legitimate one, Maier said.

/zimages/4/28571.gif

Editors Note: This story was updated to include information and comments from Microsoft and security industry experts.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.