Third Party IE Patches Step Around Microsoft
The release of two third-party patches to fix serious security holes in the Internet Explorer browser is a "side-effect of Microsoft not being able to protect its users," according to Marc Maiffret, an executive of one of the companies releasing free security software this week.
EEye says its free patch has been downloaded more than 63,000 times since becoming available Monday. The software addresses what Maiffret, the firm's co-founder, in a statement called a "critical vulnerability that needs to be addressed immediately."
Maiffret said since the vulnerability became public last week, hundreds of Web sites have included code that exploits the hole in how IE processes the "createTextRange()" tag.
On the heels of eEye's patch, another unofficial solution came from Determina, a Redwood City, Calif.,security company.
The patches come just months after the last third-party fix for a Microsoft flaw was adopted.
January, Russian software developer Ilfak Guilfanov offered a patch to solve a hole in Windows Metafile (WMF). The third-party solution was adopted by SANS and security firm F-Secure. At one point, the crush of people attempting to download the patch crashed the software developer's Web site.
Microsoft, for its part, Tuesday updated its security advisory, noting it has "confirmed new public reports of a vulnerability" in IE.
The software giant said a cumulative patch is on schedule for April, "or sooner as warranted."
"If it were up to Microsoft, you would be vulnerable for 16 days," Maiffret said. Microsoft's patching schedule "is not timely enough."
The eEye and Determina patches are meant as temporary fixes and are designed to stop working once Microsoft's official patch is released.
SANS Institute isn't endorsing the non-Microsoft IE fixes. The patches are not necessary now because there are sufficient workarounds, Johannes Ullrich, chief research officer, told internetnews.com.
Ullrich said during the WMF security flap, his organization recommended a third-party patch because exploitation was widespread and there was no reasonable workaround. However, recommending an outside patch carries a risk.
"Each patch (official or not) has a chance to 'blow up' and cause unintended side effects," Ullrich said.
The real problem, according to the security researcher, isn't whether or not to apply a third-party patch, but when will Microsoft release an official fix.
"Even a 'beta patch' would be better, as Microsoft would at least be able to consider it as they roll out the final patch," according to Ullrich.
Microsoft has created a public database, but it's for feedback on the IE 7 browser, which is in beta testing.
A Microsoft blog explained the database is not for security issues and uses the software maker's Microsoft Connect site. You must have a Microsoft Passport account to access the IE bug reporting site.
Will a public database, such as the open-source Mozilla Bugzilla site, improve IE?
"In this case, its more of wishful thinking on Microsoft's part," Maiffret said. The security exec says getting security issues addressed has caused independent researchers to have a "falling out" with Microsoft.
Looking back at how Microsoft reacted to this latest round of zero-day vulnerabilities, Maiffret said: "Hopefully, it won't take many more attacks for Microsoft to act."