IE Patch Still Elusive

UPDATED: Microsoft officials said the company is still testing a security fix for a spoofing hole in its browser that exposes users to Net scammers.

On a Microsoft security Webcast held Wednesday, participants were more interested in the whereabouts of a patch for a known Internet Explorer spoofing vulnerability than they were in the three new security bulletins that Microsoft released on Tuesday.

During the Webcast, Jeff Jones, senior director of Microsofts Trustworthy Computing initiative, told participants that Microsoft has been working on the IE patch since before Christmas, and it is done. But the testing is not completed for all the various versions of IE for different platforms and in all of the languages supported by Microsoft, he said.

By Microsoft Longhorn evangelist Robert Scobles count, there are more than 400 different IE iterations that need testing.

Once that happens, even if its sooner than Microsofts next slated security-bulletin release slated for Feb. 10, Microsoft will roll out the IE patch separately, Jones said.

A patch could come none too soon. Security experts say that they have seen a spike in phishing attacks after a December security bulletin revealed the IE spoofing exploit.

Phishing attacks involve the use of e-mails that often appear to come from a legitimate e-mail address and usually include links to spoofed Web addresses. The vulnerability in IE allows attackers to use fake Web addresses in IEs address box to obscure the real URL.

/zimages/4/28571.gifSecurity Center Editor Larry Seltzer took a close look at phishing techniques recently. Click here to read more on the subject.

"When [the vulnerability] was first announced we started to see phishing attacks out in the first three to four days that exploited the vulnerability in IE," said Dan Maier, the director of marketing for the Anti-Phishing Working Group and a senior product marketing manager at Tumbleweed Communications Corp.

Jones told Webcast attendees that even though Microsoft has yet to issue the IE spoofing patch, it has done a lot of outreach to warn customers about the vulnerability. He said Microsoft posted warnings on its Web site, explaining how to avoid becoming a victim of the spoof.

"I dont read this as them not being serious about security but as them being serious about security and wanting to make sure the fix is appropriate and works for everyone," Maier said of Microsoft.

While it is important for Microsoft to issue a fix, Maier said, a security patch alone wont solve the problem. A majority of consumers are unlikely to immediately update their versions of IE with the patch, leaving them open to spoofing.

In addition, scammers are using other techniques that already skirt the IE spoofing vulnerability, such as obtaining domain names that are similar to a legitimate one, Maier said.


Editors Note: This story was updated to include information and comments from Microsoft and security industry experts.