March 28, 2006 1:29 PM PST

Second unofficial fix plugs IE hole

Another company has released a third-party patch for a serious flaw in Internet Explorer, as experts warn users to be cautious with non-Microsoft fixes.

Determina, which makes intrusion-prevention products, made an unofficial fix for the Microsoft Web browser available on Monday. The release came shortly after eEye Digital Security issued its own temporary patch.

Both fixes are meant to protect Windows PCs against cyberattacks that exploit a recently disclosed IE vulnerability Microsoft has yet to provide an update for. The software maker has not endorsed either fix, saying that as a rule it doesn't recommend installing outside patches.

This is the second time this year that somebody has beaten Microsoft to the punch with a security fix. Last time, security experts supported a patch issued by a European researcher. This time, they are not recommending people apply the unofficial fixes.

Instead, people should follow Microsoft's advice and disable the Active Scripting feature in IE, or simply use a different Web browser, experts said.

"At this point, we do not recommend applying these temporary patches," said Johannes Ullrich, the chief research officer at the SANS Institute. Only those people who need to use Active Scripting in IE should consider adopting an unofficial solution, he said.

The vulnerability has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and Trojan horses on vulnerable PCs, according to security company Websense.

Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany, said the security issue with IE is significant, but agreed that a third-party fix is not needed. "I would not apply this patch personally," he said. "As long as you're not using IE, you're safe. If you do use it, you should deactivate Active Scripting."

Active Scripting, also known as ActiveX Scripting, is used to deliver "feature-rich" Web sites that can run small applications. Disabling the component in IE can have an impact on how well Web sites function in the browser.

Heeding the expert advice, Susan Bradley, a network administrator at an accountancy firm in Fresno, Calif., said she is not deploying any unofficial patch. "When any of these third-party patches are considered, one needs to think about supportability. It potentially puts me outside of support," she said.

The eEye and Determina patches block access to the vulnerable component in IE 5 and 6, the most used versions, to try to prevent malicious Web sites from taking advantage of the flaw. Both Determina, based in Redwood City, Calif., and eEye, of Aliso Viejo, Calif., sell intrusion-prevention products.

Microsoft has said it is working on a fix for the browser. That update is currently slated for delivery on April 11, Microsoft's regular monthly patch day. However, the Redmond, Wash., company has said it is considering an earlier release.

See more CNET content tagged:
Determina Inc., eEye Digital Security, patch, intrusion prevention, flaw


Join the conversation!
Add your comment
What these so called 'experts' should be warning people about:
Using an alternative browser. It is the single most effective way for the general population and busineses to protect themselves.

I have a hard time coming up with a single Microsoft product that hasn't caused more harm than good. Only Microsoft Office spreads macro viruses, no other Office product has these issues. Most e-mail viruses are refered to as Microsoft OutLook or Exchange viruses. (LookOut! and Virus Exchange) There are no Eudora viruses, no Thunderbird viruses, no GroupWise viruses. Thanks to Microsoft we can't even view a picture on a Microsoft platform without fear of viruses. What's next out of Redmond, a text file based virus?
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
All Software is Vunerable
All software is vulnerable to attack. You can't have a completely invulnerable system that's connected to the internet. As soon as you open your computer to the internet, it's vulnerable to attack. It's true for all systems including Mac, Linux, and Windows.

Hackers (black-hat) make the viruses not Microsoft. Microsoft is the most visible software company since it has about 95% market share, which is probably why viruses are created to target their software. The purpose of a virus is to spread and cause as much damage as it can. Logically, they target the software that they can do the most widespread damage. Since Microsoft has 95% market share, it makes them a big fat target.

No one doubts that existing Microsoft products are buggy and have lots of holes in them, but it's the criminals that are responsible for all of these attacks not Microsoft.

It doesn't matter really since IE6 is on it's way out and IE7 promises to be much more secure.
Posted by rderveloy (16 comments )
Link Flag
Just installed Firefox...
I just installed Firefox today and, security aside, it's just faster and better than IE.(I have a lowly dial-up connection)
Posted by john55440 (1020 comments )
Reply Link Flag
Good idea
That's really the best way of patching IE -
installing another browser.
Posted by Jackson Cracker (272 comments )
Link Flag
Monocultures are always a bad thing, whether in nature or software. African cheetas are so inbred that every one is virtually identical to every other. A bacteria or virus that kills one will kill all of them.

Microsoft's success in getting most of the world to run its OS has created a software monoculture. As a result, viruses, trojans and other exploits that would only affect a few machines in a more heterogeneous IT infrastructure, end up propagating across millions of machines.

We need more people running different OSs and different applications. Diversity is the key to a robust IT immune system.
Posted by JFDMit (180 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.