Déjà Vu as Third Parties Ship IE Patches

Two well-respected security research companies release unofficial hotfixes to provide temporary protection for the code execution browser flaw, but Microsoft does not sanction the use of the patches.

Two well-respected Internet security companies have shipped unofficial patches for a critical flaw in Microsofts Internet Explorer browser a full two weeks before the software makers scheduled release of a comprehensive update.

With a wave of zero day attacks underway, eEye Digital Security and Determina offered separate hotfixes to provide temporary protection for IE users, but experts warn that the third-party patches carry a "buyer beware" tag.

As a general rule, Microsoft never recommends third-party updates because, without rigorous quality assurance testing, it is impossible to know what impact the unofficial fix might have on applications mandated in regulated industries or in-house applications.

Earlier this year, at the height of the WMF malware attacks, reverse-engineering guru Ilfak Guilfanov created a temporary patch that was recommended by experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure.

This time around, the SANS Storm Center is not recommending the temporary patch. In a diary entry, chief research officer Johannes Ullrich said the Microsoft-sanctioned workaround to turn off Active Scripting is sufficient to mitigate the risk from an attack.

However, eEyes co-founder and chief hacking officer Marc Maiffret said some IE users may experience problems on legitimate Web sites that require Active Scripting. "Our patch is not meant to replace the one Microsoft will release. Its only temporary protection and were recommending it as a last-resort for people who need to have Active Scripting enabled," Maiffret said in an interview with eWEEK.

He said eEyes hotfix will automatically uninstall itself when Microsoft ships the official update.

"We got a lot of requests from customers and IE users asking for advice and when we saw that Microsoft wasnt planning to release a patch until April 11, we decided to do an in-memory patch of the affected code, much like Microsoft would do," he explained.

"[Our patch] fixes the specific vulnerability itself. Its not going to break any of the JavaScript functionality unless its a Web site thats being specifically malicious," Maiffret said. "You cant have people without protection for 16 more days when an attack is underway."

Alexander Sotirov, chief reverse engineer on the security research team at Determina, said his companys fix was released with full source code for all versions of IE 5.01 and IE6.

"The fix is a DLL that gets injected into all applications via the AppInit_DLLs registry key," Sotirov wrote in a message posted to security mailing lists. He said the DLL fixes the bug by patching a single byte in MSHTML.DLL when it is loaded in memory. "This change makes the createTextRange() function return an error code instead of returning 0. This exactly how the problem was fixed in the latest IE7 beta from March 20," Sotirov explained.


Is outsourcing e-mail security right for your organization? Ziff Davis Media eSeminars invites you to learn about the security and management challenges facing e-mail technology implementers and decision makers from Tumbleweed on March 28 at 2 p.m. ET.

eEyes Maiffret criticized Microsoft for downplaying the severity of the exploits, which has been described as "limited in scope."

"Its disappointing that Microsoft says the threat isnt big because its only been found on 200 URLs. Why are they thinking about these attacks like they think about network worms? The risk of the quiet, targeted attack is very, very high and this should be an emergency situation for Microsoft," said Maiffret, who regularly shares information on flaw discoveries with the software vendor.

"Thats the bigger point that people are missing. Its not about eEye or someone else releasing an unofficial patch. The bigger issue is that Microsoft isnt equipped with the ability to protect customers from zero-days. Why should customers sit around for weeks when attacks are underway?" Maiffret said.

A spokesperson for Microsoft described eEyes patch as a "third-party mitigation tool" that does not address the original vulnerability but instead appears to serve as an additional mitigation to block the attack vector that Web sites might use to implement an attack.

"While Microsoft can appreciate the steps eEye is taking to provide our mutual customers with mitigation from this vulnerability, as a general rule, customers should obtain security updates from the original software vendor," the spokesperson said.

He said Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsofts security updates are offered in 23 languages simultaneously for all affected versions of the software. "Microsoft cannot provide similar assurance for independent third-party security updates or mitigation tools."

The company said it is open to rolling out the cumulative IE fix as an "out-of-cycle" update if necessary.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.