Third Party Offers Patch for IE Hole

By Nate Mook, BetaNews

March 28, 2006, 11:16 AM

While Microsoft debates whether to release a critical update for Internet Explorer before the next Patch Tuesday on April 11, security firm eEye Digital Security has released its own patch. The flaw, discovered last week, puts IE users at risk of code execution simply by visiting a malicious Web site.

A problem exists in how IE interprets the "createTextRange()" method used for radio button controls in HTML forms. From there, the flaw can be exploited to allow program flow to be redirected to the heap. When this occurs, the attacker can then exploit the vulnerability to execute code on an affected computer.

The vulnerability has been given a high severity rating by a number of security firms including eEye, which recommends that users disable Active Scripting from within Internet Explorer. However, the company is also offering a temporary patch for those organizations that require the feature.

The downloadable fix from eEye blocks access to the component within IE that is vulnerable, preventing malicious sites from exploiting the problem to install a backdoor or other malware.

"This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," eEye says in its advisory. "Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released."

eEye released a similar unofficial patch following the discovery of a security vulnerability in Windows Meta File (WMF) image handling last December. The high-profile flaw and subsequent exploits forced Microsoft to release an official fix out of schedule.

However, the new flaw appears to be much less widespread, according to Microsoft, and other security firms are not recommending eEye's fix. eEye initially held back the source code to the patch, but later posted it online following criticism by security experts.

Microsoft says it is "actively keeping an eye on any attempts to utilize this in an attack" and will release a patch sooner if deemed necessary. It recommends that users wait for the official update or disable Active Scripting entirely.

"We cannot recommend third party solutions that modify the way the product itself operates," said Mike Reavey from Microsoft's Security Response Center. "The reason is really around the fact that we carefully review and test our security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility."

"Customers of course can weigh the risk of deploying a third party 'patch' but it's unclear what impact this will have on the system," Reavey added.