Patch/Configuration Management, Vulnerability Management

Unofficial patches out for IE flaw

Some security firms ran out of patience with Microsoft on Monday, releasing their own patches for the recently disclosed CreateTextRange() vulnerability in Internet Explorer (IE).

eEye Digital Security and Determina released unofficial fixes, with both companies echoing earlier reports of a substantial number of malicious sites taking advantage of the flaw.

If a malicious site exploits the flaw, it can execute code and use the PC as a bot for distributed denial of service (DDoS) attacks.

"Currently, there have been numerous reports of this vulnerability being used on various websites in attempts to install spyware and remote control 'bot' software for use in DDoS attacks," according to eEye's security alert.

The SANS Institute's Internet Storm Center said Monday that at least 200 sites were taking advantage of the flaw.

Stephen Toulouse, head of the Microsoft Security Response Center, said on a company blog Monday that researchers were working long hours on a patch. It could be released on April's Patch Tuesday (April 11), he said, adding that, so far, Microsoft is only aware of limited attacks.

However, Johannes Ullrich, posting on the Internet Storm Center's website, cautioned users not to rush to install the temporary patch.

"The workaround, to turn off active scripting and to use an alternative browser is sufficient at this point. We have not been able to vet the patch. However, source code is available for the eEye patch, so you can do it yourself. Determina has not released source code at this point," he said. "Exploit attempts are so far limited. But this could change at any time."

Ullrich said the unofficial patches could be used in a limited number of cases, urging users to test the patch before installing it or contact Redmond, adding, "Microsoft may not be aware of the importance of security to its customers."

He also predicted Microsoft would release a patch for the IE flaw early – marking the company's second emergency release of the year.

"We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within two days if needed," said Ullrich. "Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments."

Microsoft released its January patch early after a Windows metafile (WMF) flaw gained national media attention.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.