TMCnet News
Security firms rush to fill a vacuum created by Redmond.(www.internetnews.com Via Thomson Dialog NewsEdge) The release of two third-party patches to fix serious security holes in the Internet Explorer browser is a "side-effect of Microsoft not being able to protect its users," according to Marc Maiffret, an executive of one of the companies releasing free security software this week. EEye says its free patch has been downloaded more than 63,000 times since becoming available Monday. The software addresses what Maiffret, the firm's co-founder, in a statement called a "critical vulnerability that needs to be addressed immediately." Maiffret said since the vulnerability became public last week, hundreds of Web sites have included code that exploits the hole in how IE processes the "createTextRange()" tag. On the heels of eEye's patch, another unofficial solution came from Determina , a Redwood City, Calif.,security company. The patches come just months after the last third-party fix for a Microsoft flaw was adopted. January, Russian software developer Ilfak Guilfanov offered a patch to solve a hole in Windows Metafile (WMF). The third-party solution was adopted by SANS and security firm F-Secure. At one point, the crush of people attempting to download the patch crashed the software developer's Web site. Microsoft, for its part, Tuesday updated its security advisory , noting it has "confirmed new public reports of a vulnerability" in IE. software giant said a cumulative patch is on schedule for April1, "or sooner as warranted." "If it were up to Microsoft, you would be vulnerable for 16 days," Maiffret said. Microsoft's patching schedule "is not timely enough." The eEye and Determina patches are meant as temporary fixes and are designed to stop working once Microsoft's official patch is released. SANS Institute isn't endorsing the non-Microsoft IE fixes. The patches are not necessary now because there are sufficient workarounds, Johannes Ullrich, chief research officer, told internetnews.com . Ullrich said during the WMF security flap, his organization recommended a third-party patch because exploitation was widespread and there was no reasonable workaround. However, recommending an outside patch carries a risk. "Each patch (official or not) has a chance to 'blow up' and cause unintended side effects," Ullrich said. The real problem, according to the security researcher, isn't whether or not to apply a third-party patch, but when will Microsoft release an official fix. "Even a 'beta patch' would be better, as Microsoft would at least be able to consider it as they roll out the final patch," according to Ullrich. In a related move, Microsoft has created a public database for IE feedback where bugs may be reported. A Microsoft blog explained the database is not for security issues and uses the software maker's Microsoft Connect site. You must have a Microsoft Passport account to access the IE bug reporting site. Will a public database, such as the open-source Bugzilla, improve IE? "In this case, its more of wishful thinking on Microsoft's part," Maiffret said. The security exec says getting security issues addressed has caused independent researchers to have a "falling out" with Microsoft. Looking back at how Microsoft reacted to this latest round of zero-day vulnerabilities, Maiffret said: "Hopefully, it won't take many more attacks for Microsoft to act." Internet.com Corp. Copyright 2003 Jupitermedia Corp. All rights reserved. Republication and redistribution of Jupitermeida Corp. content is Expressly prohibited without the prior written consent of Jupitermedia Corp.. Jupitermedia Corp., shall not be liable for any errors or delays in the Content, or for any actions taken in reliance thereon. |