Second unofficial fix plugs IE hole
Another company releases third-party patch for serious flaw in Microsoft browser--but experts say to be cautious.
Determina, which makes intrusion-prevention products, made an unofficial fix for the Microsoft Web browser available on Monday. The release came shortly after eEye Digital Security issued its own temporary patch.
Both fixes are meant to protect Windows PCs against cyberattacks that exploit a recently disclosed IE vulnerability Microsoft has yet to provide an update for. The software maker has not endorsed either fix, saying that as a rule it doesn't recommend installing outside patches.
This is the second time this year that somebody has beaten Microsoft to the punch with a security fix. Last time, security experts supported a patch issued by a European researcher. This time, they are not recommending people apply the unofficial fixes.
Instead, people should follow Microsoft's advice and disable the Active Scripting feature in IE, or simply use a different Web browser, experts said.
"At this point, we do not recommend applying these temporary patches," said Johannes Ullrich, the chief research officer at the SANS Institute. Only those people who need to use Active Scripting in IE should consider adopting an unofficial solution, he said.
The vulnerability has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and Trojan horses on vulnerable PCs, according to security company Websense.
Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany, said the security issue with IE is significant, but agreed that a third-party fix is not needed. "I would not apply this patch personally," he said. "As long as you're not using IE, you're safe. If you do use it, you should deactivate Active Scripting."
Active Scripting, also known as ActiveX Scripting, is used to deliver "feature-rich" Web sites that can run small applications. Disabling the component in IE can have an impact on how well Web sites function in the browser.
Heeding the expert advice, Susan Bradley, a network administrator at an accountancy firm in Fresno, Calif., said she is not deploying any unofficial patch. "When any of these third-party patches are considered, one needs to think about supportability. It potentially puts me outside of support," she said.
The eEye and Determina patches block access to the vulnerable component in IE 5 and 6, the most used versions, to try to prevent malicious Web sites from taking advantage of the flaw. Both Determina, based in Redwood City, Calif., and eEye, of Aliso Viejo, Calif., sell intrusion-prevention products.
Microsoft has said it is working on a fix for the browser. That update is currently slated for delivery on April 11, Microsoft's regular monthly patch day. However, the Redmond, Wash., company has said it is considering an earlier release.