IE fix mends flawed open-source patch

An open-source patch for Internet Explorer has been updated, because it contains a security flaw that is potentially more damaging than the one it aimed to fix.

Munir Kotadia Special to CNET News

See full bio

Munir Kotadia

Dec. 22, 2003 4:20 p.m. PT

3 min read

A Web site that published a third-party patch to fix a security hole in Microsoft's Internet Explorer has had to reissue the patch, after the original was found to be flawed.

Openwares.org published the second patch Saturday, after the first was found to contain a buffer overflow exploit. This exploit, which allowed an attacker to take control of the patched PC, might have been far more damaging than the flaw the patch aimed to fix.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

According to Openwares, only about 6,500 people downloaded the original patch. Security experts with whom ZDNet spoke last week warned people against installing it, saying that aside from trust issues, the patch author would not have had access to IE source code; the patch could interfere with future updates from Microsoft.

Representatives from Microsoft were not available for comment Monday.

The IE vulnerability, which was first reported in late November, allows a browser to display one URL in the address bar while the page that's being viewed is actually hosted elsewhere, making the user more susceptible to ruses like "phishing," in which spoof e-mails direct people to fake Web sites that seem to belong to legitimate companies. However, Openwares' first fix, which worked by filtering out any URLs containing suspicious characters, would work only with addresses that had less than 256 bytes. Larger addresses produced a buffer overflow.

Openwares' administrator said: "The new version has been rewritten and tested by dozens of users who helped out. If you're unsure, look at the new source code for yourself."

By early morning Monday, there had been 2,500 downloads of the new patch. However, this is a minute fraction of IE users, who make up more than 90 percent of the Internet population.

Microsoft has still not released a fix for the IE problem or given any indication as to when one might be available. In October, the Redmond, Wash., software maker adopted a policy of releasing only one patch each month, but it has already announced that it will be skipping its December release; IE is expected to remain vulnerable until at least mid-January.

Earlier in December, weeks after the IE flaw was discovered, Iain Mulholland, a security program manager at Microsoft, said the company was putting heavy emphasis on increasing the quality of its patches and that the approach has had an effect on the timing of releases. "It is not that we are not doing anything; it's just that we don't have a patch ready in the pipeline," he said.

Normally, spending one or two months developing a patch would go unnoticed, because security flaws are usually reported to Microsoft long before they are made public. In this case, however, the software giant did not get any advance notice.

"They put Microsoft's nose out of joint by publishing it, rather than telling Microsoft first and keeping quiet for the requisite six weeks," said Graham Titterington, a principal analyst at U.K. consulting company Ovum.

Munir Kotadia of ZDNet UK reported from London. CNET News.com's Robert Lemos contributed to this report.